Zoe  Baird,  head  of  the  Markle  Foundation,  calls  for  using  IT  to  improve 
health  care  and  national  security,  while  preserving  civil  liberties. 


COMPUTERWORLD 


Inside 


Maul  titan  suggests 
four  ways  to  Mai  w 


Could  job  success  ba 
a  sbnple  matter  of 
working  harder  than 
anyone  else?  page  44 


Scams,  Spams 
Shams 

How  cybervillains 
are  out  to  attack 
your  company’s  good 
name  -  and  what  you 
can  do  about  it. 

PAGE  22 


The  power  of  desktop  virtualization. 


Thousands  of  virtual  desktops 

and  applications,  in  any  combination,  now  in 

your  capable  hands.  Citrix1  XenDesktop’”  with 
HDX™  technology  gives  you  an  effortless 

way  to  deliver  high-definition  Windows 

desktops  as  a  personalized,  on-demand  service. 

No  matter  how  many 
devices,  users  or  locations 
you  support,  control 
every  one  of  them  from  a 
single  set  of  secure,  centrally 
managed  images.  All  from  one 
convenient  location— your  fingertips. 

Think  of  it  as  simplicity,  delivered. 


Simplicity  is  power.  Citrix. 

CiTR{X 


Citrix.com/SimplicitylsPower 


Smarter  technology  for  a  Smarter  Planet: 

Finding  meaning  in  the  noise. 

An  unprecedented  amount  of  information  flows  through  companies  every  day.  But  to  what  effect? 
A  recent  study  found  that  52%  of  managers  have  no  confidence  in  the  information  they  rely  on  to  do 
their  job.  Without  the  right  approach  to  business  intelligence,  companies  struggle  to  turn  all  that 
information  into  sound  decisions.  IBM  business  intelligence  and  performance  management  solutions 
give  you  the  smarter  tools  you  need  to  access  the  right  information,  making  it  available  to  the  right 
people  when  and  how  they  need  it.  Today  IBM  is  helping  over  20,000  companies  spot  trends,  mitigate 
risk  and  make  better  decisions,  faster.  In  fact,  we  helped  a  major  retail  supplier  achieve  this  by  cutting 
their  average  financial  reporting  time  by  almost  50%. 


A  smarter  business  needs  smarter  software,  systems  and  services. 


cjjjpjjnwjojujgji 

This 


Virtualization: 
Tips  for  Avoiding 


Server  Overload 

What  to  do  when  vendors  over  promise, 
the  boss  demands  ROI.  and  you're  sad¬ 
dled  with  wildly  impractical  expectations 


Getting  a  Grip  on 
Multivendor  Virtualization 


ARMing  Desktop  Linux 

Linux  may  be  the 

desktop  underdog,  but  the  open-source  OS  was  once 
king  on  netbooks.  That  time  can  come  again  -  provided 
processor  company  ARM  chooses  to  play  along. 


Why  Has  Ray  Ozzie 
Failed  at  Microsoft? 

Ray  0?zie  the  creator  ot  groundbreaking  soltware  such  as 
Lotus  Notes  and  Groove,  has  been  a  bust  asMicrosotfschiel  soltwaie  architect 


Why  Application-Layer  Defenses 
Belong  in  the  Applications 

Intrusion-detection  tools  might  seem  up  to  the  job 
ol  stopping  SOL  mrection  attacks,  but  they  aren't. 


Browser  Wars  Redux 

A  maiot  new  version  ol  each  ol  the  top  five  browsers  came 
out  this  year,  and  now  Firelox.  Google  Chrome.  Internet 
Explorer.  Opera  and  Safari  are  vying  lor  market  share. 


A  Case  for  Easy  SSD  Installation 

The  NZXT  Lexa  S  is  a  midtower  box  that  makes  it  simple 
to  modify  a  3.5-  in.  bay  to  accept  two  2.5-in.  drives 


Here  Comes  Windows  7 


The  Pros  and  Cons  of 
Windows  7  for  Business 

With  the  launch  of  Windows  7  tust  Ihree  days  away, 
enterprise  IT  oiganizations  are  runrung  out  ot  time  to  get  ready 


New  Machines  for  a  New  OS 

Here's  a  look  at  some  ot  the  new  notebooks  and  netbooks 
that  are  being  built  with  Windows  7  in  mind. 


SHARK  TAIT 


Big  Red  Button 

The  old  data  center  had  buttons  next  to  each  door  to 
automatically  swing  them  open.  The  new  data  center 
had  buttons,  too  -  but  not  for  opening  doors.  Here’s 
how  one  user  learned  the  difference. 


computerworld.com/news 


! 

! 


f: 


TWsWeek 

Online 


M 


Getting  a  Grip  on 
Multivendor  Virtualization 


Blog  Spotlight 


ARMing  Desktop  Linux 

Steven  J.  Vaughan-Nichols:  Linux  may  be  the 
desktop  underdog,  but  the  open-source  OS  was  once 
king  on  netbooks.  That  time  can  come  again  -  provided 
es  to  play  along. 


Virtualization: 
Tips  for  Avoiding 
Server  Overload 


Why  Has  RayOzzie 
Failed  at  Microsoft? 


Why  Application-Layer  Defenses 
Belong  in  the  Applications 

OPINION:  Intrusion-detection  tools  might  seem  up  to  the  job 
of  stopping  SQL  injection  attacks,  but  they  aren't. 

Eft  Browser  Wars  Redux 

ill  A  major  new  version  of  each  of  the  top  five  browsers  came 
kg  out  this  year,  and  now  Firefox.  Google  Chrome,  internet 
™  Explorer.  Opera  and  Safari  are  vying  for  market  share. 

A  Case  for  Easy  SSD  Installation 


BHere  Comes  Windows  7 

Visit  Cbmpuferworfdcom's  special  Windows  7  page  for 
all  the  latest  news  on  Microsoft's  new  operating  system. 

The  Pros  and  Cons  of 
Windows  7  for  Business 

OPINION:  With  the  launch  of  Windows  7  just  three  days  away, 
enterprise  IT  organizations  are  running  out  of  time  to  gel  ready. 

New  Machines  for  a  New  OS 

Here's  a  look  at  some  of  the  new  notebooks  and  netbooks 
that  are  being  built  with  Windows  7  in  mind. 

SHAHUbBAIT 


The  old  data  center  had  buttons  next  to  each  doc 
automatically  swing  them  open.  The  new  data  ce 
had  buttons,  too  -  but  not  for  opening  doors.  Her 
how  one  user  learned  the  difference. 


Newsletter  Subscriplions 


Smarter  technology  for  a  Smarter  Planet: 

Service  in  the  age  of  smart  assets. 

Smart  assets  are  making  it  possible  to  spread  intelligence  into  everything  from  power  lines  to  railroad  lines  to 
assembly  lines.  The  challenge  is:  how  do  you  choreograph  the  physical  and  the  digital  to  provide  the  quality 
services  your  customers  expect  and  the  flexibility  your  business  needs?  IBM's  approach  to  service  management 
can  help  you  extend  visibility,  control  and  automation  through  all  of  your  company’s  services  so  you  can  easily 
modify  existing  services  or  quickly  add  new  ones,  laying  the  groundwork  for  a  more  dynamic  infrastructure. 
We’re  helping  companies  all  over  the  world— 20  of  the  20  top  telcos  and  7  of  the  10  largest  automotive 
manufacturers— reach  beyond  the  datacenter  to  deliver  flexible  services  in  a  smarter  way. 


A  smarter  business  needs  smarter  software,  systems  and  services. 
Let's  build  a  smarter  planet,  ibm.com/svcrngmt 


Sharon  Gamin.  Man  HanUen. 

Gragg  Keizer.  Eric  Lai.  Lucas  Mearian. 
Patrick  Thibodeau.  Jaikumar  Vijayan 


Sand  leners@computerworld.com.  Indude  an 
addressandphonenumbertorinimedlatevedfica- 
tloa  Letters  wl  be  edtad  for  brevity  and  clarity. 


It’s  great  to  see  a  well-balanced  ar¬ 
ticle  about  Twitter  and  its  business 
applications  that  gets  people  past 
the  “I  don’t  want  to  see  what  people 
are  having  for  breakfast”  reaction. 
Scot  Finnie  is  right  that  Twitter  has 
some  very  useful  business  advan¬ 
tages  when  it’s  used  and  read  in  the 


companies  might  find  it  worth¬ 
while  to  run  a  private  server  for  an 
equivalent  service  that’s  limited 
to  the  corporate  intranet  That  is, 
employees  could  message  and  fol¬ 
low  each  other,  but  the  messages 
wouldn’t  go  out  to  the  Internet 
proper  at  all,  which  means  they 
couldn't  be  displayed  on  somebody 
else’s  Web  site. 

■  Submitted  by:  David  Harmon 


Upkeep  Makes 
Laptops  Costly 
In  Years  4  and  5 


Laptops  should  actually  be  replaced 
every  two  years.  This  is  particularly 
true  nowadays,  since  their  purchase 
prices  are  where  good  desktop 
prices  were  just  a  few  years  ago. 

■  Submitted  by:  KeleHawaii 

What?  Just  because  something’s 
cheap  to  replace,  it  should  be  re¬ 
placed?  Even  if  it  works?  Even  if  it 
satisfies  100%  its  owner's  needs? 

No  wonder  we’re  the  No.  1  garbage- 
producing  country  on  the  planet. 


I  can  only  conclude  either  that  A) 
number-crunchers  get  so  caught  up 
in  their  numbers  that  they  totally 
lose  connection  with  reality,  or  B) 
the  old  adage  is  true  that  a  sharp 


They’re  going  on  their  third  and 
fourth  years  with  no  problems. 

How  long  will  my  personal 
Toshiba  (minimal.  XP,  500MB 
RAM,  $500  original  cost)  live?  Who 
knows?  I’ve  forgotten  when  I  bought 
it,  but  I  think  maybe  four  or  five 
years  ago. 

In  accordance  with  the  thinking 
behind  this  article,  I  personally 
would  have  spent  $400  that  I  didn’t 
need  to  last  year.  My  department 
would  have  spent  a  few  thousand 
dollars  for  nothing.  I  don’t  know 
about  where  the  author  lives,  but  in 
Arkansas,  we  can’t  afford  to  throw 


Microsoft  Loses 
Sidekick  Users’ 
Personal  Data 


This  is  a  horrible  breach  of  con¬ 
fidence  in  the  whole  concept  of 
cloud  computing.  If  Microsoft  (and 
T-Mobile)  can’t  back  up  a  server  — 
my  guess  is  a  small  server,  at  that 
—  how  can  we  trust  them  or  anyone 
else  with  really  valuable  data? 

And  this  was  only  a  backup.  Sup¬ 
pose  that  Sidekick  users  had  been 
doing  real  live  computing?  This 
would  be  catastrophic. 

I  for  one  will  not  put  anything 
important  on  a  cloud  platform  until 
there  is  some  reason  to  be  confident 
that  it  will  A)  be  dependable  and 
B)  be  permanent. 


The  end  of  phone  tag.  Turn  your  desk  phone  and  mobile  phone  into  one  with 
Sprint  Mobile  Integration.  Youll  have  one  number,  one  voicemail  and  one  easy  way  to  control 
mobile  usage.  Simplify  the  way  your  company  stays  in  touch.  Make  it  easier  for  clients  to  reach 
you.  And  reduce  company  telecom  expenses.  Less  dialing,  happier  clients.  Productivity  starts  now. 
1-866-653-1056  sprint.com/convergence 


[=  Heads 


Gestures  Shake  Up  the  Mobile  Experience 


Touch  screens  have  changed  the 
way  people  use  mobile  phones.  But 
gesture  controls,  augmented  reality 
and  larger  screen  sizes  are  about  to 
change  habits  even  more,  according  to  mo¬ 
bile  interface  expert  Christian  Lindholm. 

In  the  future,  we’ll  see  more  sensors 
in  devices  that  can  transform  the  mo¬ 
bile  user  experience  by  allowing  control 
through  gestures  and  other  types  of  hand 
movement,  according  to  Lindholm,  man¬ 
aging  director  of  Fjordnet  Ltd.,  a  London- 
based  consultancy  that  has  helped  orga¬ 
nizations  such  as  the  BBC  develop  user 
interfaces  for  mobile  devices. 

The  use  of  gestures  and  movements 
to  control  phones  has  already  started  to 
take  off.  Some  Nokia  Corp.  devices  allow 
users  to  reject  calls  by  turning  the  phone 
upside  down,  and  Apple  Inc.'s  iPhone  has 
a  “shake  to  undo”  capability.  Lindholm 


said  the  technology  could  also  be  used 
to  share  files  with  a  flick  of  the  wrist  or 
by  touching  two  devices  together  —  as 
iPhone  users  can  do  with  the  Bump  app. 

De  facto  standards  for  gesture  controls 
will  eventually  emerge  so  a  particular 
task  can  be  done  in  the  same  way  no  mat¬ 
ter  what  device  is  used,  he  predicted. 

Lindholm  also  has  a  side  business  — 
Berlin-based  Tech21  Sensor  GmbH  —  that 
is  working  to  replace  phone  keyboards  with 
trackpads,  which  could  be  used  to  sense 
gestures.  Once  devices  are 
able  to  recognize  gestures, 
the  next  step  is  lor  them 
to  sense  pressure.  “So  we  ■ESjggjHISECBa 
could  put  a  gas  pedal  and 
a  brake  pedal  on  keys,”  said  Lindholm. 

The  technology  will  come  to  market  in 
a  couple  of  years,  he  said. 

-  Mikael  Ricknds,  IDG  News  Service 


Med  Center  CIO 
Lays  Guilt  Trip 
On  Vendor  Reps 

Here's  a  tactic  CIOs  don't  learn 
in  business  school:  How  to  inflict 
guiltonvendorrepsto  make  sure 
their  technology  works  reliably. 

Walter  Fahey,  CIO  at  Maimo- 
nides  Medical  Center  in  Brooklyn, 
said  the  705-bed  facility  recently 
used  the  services  of  longtime 
vendor  Verizon  Communications 
Inc.  to  upgrade  its  networks  in 
order  to  support  electronic  health 
records  and  transmit  patient  data 
to  smartphones  and  other  wire¬ 
less  devices  used  by  doctors. 

In  an  interview.  Fahey  said  he 
frequently  brings  vendor  sales 
representatives,  including  those 
from  Verizon,  into  a  Maimonides 
operating  room  and  delivers  a 
little  speech.  Fahey  explains  how 
important  it  is  for  complex  ap¬ 
plications  to  run  reliably  on  robust 
networkstoensurethat  surgeons 
and  nurses  receive  the  right  pa¬ 
tient  information  at  the  right  time. 

"I  bring  the  vendor  reps  in  the 
operating  room  and  tell  them. 
Imagine  if  one  of  your  relatives 
were  here  in  surgery.  Serious  stuff. 
All  this  information  has  to  be  read, 
and  it's  really,  really  important.' " 


B  as  a  negotiating  tool  to 

make  sure  vendors  in¬ 
stall  technology  propedy 
and  keep  it  running  when  needed. 
Fahey  said,  adding. ‘Guilt  works 
because  it's  logical." 


COMPUTERWORLD  OCTOBER  19,  i 


ESET  NOD32  Antivirus  4 

Fast,  Effective,  Proactive,  Antivirus  and  Antispyware 


Our  award-winning  proactive  threat-detection  technology  delivers  the  most  effective  protection 
from  viruses,  spyware,  and  other  internet  threats.  ESET  software  blocks  most  threats  the  moment 
they  are  released,  avoiding  detection  latency  common  to  competing  products.  And  with  super-fast, 
super-easy  operation,  we  keep  your  users  productive,  and  your  help-desk  load  down. 

www.eset.com 


(esfTI 


■  HEADS  UP 


I'M  &&TTIW6  TlfcfeP 
AWMiVtRSARY 

REMtM&PANCe?. 


Phishers 

H6few  Reveal  Poor 
-  Passwords 


It's  terribly  insecure,  but  the  string 
of  digits  1234567  is  a  popular 
password  on  Hotmail,  according 

SOFTWARE  QUALITY  to  security  researcher  Bogdan 

_  .  ,  _  _  .  Calin.  who  analyzed  9,843  stolen 

Fewer  Bugs  Found  in  Open-Source  Code 

The  overall  number  of  defects  Samba,  Tor,  OpenPAM  and  Ruby.  Hotmail  and  several  other  Web 

in  open-source  software  projects  Coverity’s  Scan  site  so  far  has  ana-  e-mail  providers  were  recently  hit 

is  dropping,  according  to  a  new  lyzed  more  than  60  million  unique  lines  by  phishing  attacks  that  gleaned 

study  by  San  Francisco-based  of  code  from  280  projects.  usernames  and  passwords, 

vendor  Coverity  Inc.  The  company’s  scanning  service  uses  In  a  blog  post.  Calin  said  the 

Coverity,  a  maker  of  tools  for  analyz-  static  analysis,  which  checks  code  for  following  were  the  most  com¬ 
ing  programming  code,  received  a  con-  security  or  performance  problems  with-  mon  passwords  in  Ihe  Hotmail 

tract  in  2006  from  the  U.S.  Department  out  having  to  run  an  application.  “Static  collection:  123456. 123456789. 

of  Homeland  Security  to  help  boost  the  analysis  [tools]  won’t  tell  you  that  your  alejandra,  111111.  alberto.  tequiero, 

quality  of  open-source  software,  which  business  process  is  working  correctly . . .  alejandro  and  12345678. 

is  increasingly  being  used  by  govern-  but  they  will  tell  you  that  the  code  itself  Calin  said  the  phishing  attack 

ment  agencies  for  critical  applications.  is  technically  solid  and  follows  the  kind  apparently  targeted  Latinos,  given 

The  vendor  set  up  a  Web  site  where  of  programming  best  practices  you’d  the  popularity  of  Spanish  phrases 

open-source  developers  can  submit  code  expect  to  see  from  code  that  has  gone  and  names  as  passwords, 

to  be  analyzed.  A  project  is  ranked  on  through  a  proper  code  review,”  said  Security  experts  say  that  pass- 

a  scale  of  “rungs,”  based  on  how  many  I  Forrester  Research  Inc.  analyst  leffrey  words  should  use  a  combination 

defects  have  been  resolved.  I  Hammond,  via  e-mail.  of  letters,  numbers  and  other 

“Defect  density”  has  dropped  16%  I  He  said  the  tools  are  most  helpful  characters  and  shouldn't  include 

over  the  past  three  years  among  the  |  for  finding  structural  problems,  such  names,  dates  or  dictionary  words, 

projects  scanned  through  the  site,  and  as  memory  leaks  and  buffer  overflows.  But  Calin  found  that  just  6%  of 

11,200  defects  have  been  eliminated,  ac-  caused  by  poor  programming  practices,  the  stolen  Hotmail  passwords 

cording  to  Coverity’s  latest  report.  as  well  as  more  exotic  conditions  like  er-  contained  a  mix  of  letters,  num- 

Four  projects  have  been  awarded  the  rors  caused  by  parallel  execution  of  code  bers  and  other  characters, 

top-level  Rung  3  status  for  resolving  de-  in  a  multicore  CPU  environment  -  ROBERT  McMillan. 

fects  discovered  in  the  previous  stages:  -  Chris  Kanaracus,  IDG  News  Service  IDG  NEWS  SERVICE 


COMPUTE  RWORLO  OCTOBER  19. : 


GOING  GREEN 
W I T .H  MICROSOFT 
5TSTEM  CENTER 


4V0e  Wovi  gone 
from  G50  sirvtfs 
fro  ll  strvtrs 
running  SO 
\rirfi\a,l  ma.cV\ineJ 
per  strvtr  vdifrW 
/^icrojoff® 
Virfr^alizaj-ion.* 


See  how  Kroll  Factual  Data  was  able  to 
reduce  their  energy  usage  by  90%  at 
itseverybodysbusiness.com/virtual 


■  HEADS  UP 


OREEN  TECH 

Engineers  Connect 
Server  Sensors 
To  Cooling  System 

An  engineering  team  led  by  Law¬ 
rence  Berkeley  National  Laboratory 
has  successfully  tested  a  novel  sys¬ 
tem  that  could  greatly  improve  the 
efficiency  of  data  center  cooling. 

Most  data  centers  err  on  the  side  of  caution 
and  cool  their  equipment  more  than  they 
need  to,  thus  wasting  energy  and  money.  But 
Lawrence  Berkeley  engineers,  working  with 
Intel  Corp.,  Hewlett-Packard  Co,  IBM  and 
Emerson  Network  Power,  are  experimenting 
with  a  way  to  deliver  just  the  right  amount  of 
cooling  to  computing  equipment. 

They  fed  temperature  readings  from  sen¬ 
sors  that  are  built  into  most  modern  servers 
directly  into  the  data  center  building  con¬ 
trols  so  the  air  conditioning  system  could 
keep  the  facility  at  the  optimal  temperature 
to  cool  the  servers. 

It's  a  simple  idea,  but  something  that  no 
one  had  succeeded  in  doing  before,  mostly 
because  IT  and  facilities  management  sys¬ 
tems  have  historically  been  kept  separate. 
The  researchers  wrote  software  to  bridge  the 
protocol  gap  between  the  two  systems. 

Computer  room  air  handlers,  or  CRAH 
units  —  basically,  large  air  conditioners  — 
are  usually  controlled  via  temperature  sen¬ 
sors  located  on  or  near  the  CRAH  air  inlets. 
That's  how  76%  of  data  centers  do  it,  accord¬ 
ing  to  a  research  paper  about  the  experiment. 
The  paper  says  11%  of  data  centers  place  the 
sensors  in  the  cold  aisles  between  the  server 
racks,  which  is  better  but  still  not  ideal. 

Linking  servers  directly  to  the  cooling 
systems  represents  “the  most  fhiitful  area 
in  improving  data  center  efficiency  over  the 
next  several  years,”  the  paper  says. 

The  energy  savings  will  vary,  but  Bill 
Tschudi,  a  program  manager  at  Lawrence 
Berkeley,  predicts  that  most  data  centers 
would  see  a  return  on  their  investment 
within  a  year. 

The  study  found  that  90%  of  data  centers 
are  at  least  5  degrees  Celsius  cooler  than  rec¬ 
ommended.  “There’s  this  idea  that  the  best 
data  center  is  a  cool  data  center,  but  what 
we’ve  found  is  that  it’s  safe  to  run  them  a 
little  bit  warmer,”  says  Allyson  Klein,  a  man¬ 
ager  in  Intel's  server  platform  group. 

-  James  Niccotai,  IDG  News  Service 


SECURITY  MONITOR 

Cloud  computing,  smartphones  and  social  networks 

are  the  next  playgrounds  for  hackers,  according  to  Dhillon 
Andrew  Kannabhiran.  organizer  of  the  recent  Hack  In  The  Box 
security  conference  in  Kuala  Lumpur,  Malaysia.  Targets  include 
Facebook.  Twitter,  iPhones,  BlackBerries  and  Android  phones. 

The  event,  which  brings  together  security  experts  and  self- 
proclaimed  hackers,  included  sessions  titled  ‘Clobbering  the 
Cloud.'  "Spying  on  BlackBerry  Users  for  Fun'  and  ‘How  to 
Own  the  World  -  One  Desktop  at  a  Time.' 


FUTURE  WATCH 

Robot  Team 
Steers  Clear 
Of  Collisions 

Japan's  Nissan  Motor  Co.  has  built  a 
team  of  small  robots  that  can  quickly 
navigate  around  obstacles  with  the  help 
of  technology  that  the  company  hopes 
toonedayuseinlargervehicles. 

Modeledafterthewayaschoolofhsh 
travels,  the  six  robots  follow  one  an¬ 
other.  coordinate  their  speeds  and  even 
shift  lanes  to  avoid  obstacles.  While  the 
robots  -  called  Eporo  -  are  less  than 
a  meter  high.  the  goal  is  to  put  similar 
navigation  technology  into  full-size 
automobiles  to  reduce  traffic  accidents 
and  road  congestion. 

‘In  these  robots,  we  put  laser  range 
finders  to  see  the  outside.'  as  well  as 
telecommunications  technology  so 
the  robots  can  communicate  with  one 
another,  said  Kazuhiro  Doi,  general 
manager  of  Nissan's  technology  com¬ 
munication  department. 

In  a  recent  demonstration  at  Ceatec. 
Japan's  largest  gadget  and  IT  bade  show. 
Nissansetupasmalltrackforthe  robots 
to  travel  around.  At  some  points  the  back 
was  wide  and  at  others  it  was  narrow  so 
Nissan  could  demonstrate  how  the  ro¬ 
bots  could  shift  from  baveling  in  two  or 
three  lanes  to  just  one.  A  broken  robot 
was  placed  in  the  wide  section  of  the 
track  to  simulate  a  disabled  car.  and  the 
six  robots  were  able  to  navigate  around  it. 

The  name  Eporo,  short  for  Episode 


12  COHPVTERWORLO  OCTOBER  19. 2009 


Empowered  by  Innovation 


NEC 


ible  and  secure  when  kept 
within  a  firewall. 

While  the  CIA  has  been 
steadily  building  a  cloud- 
friendly  infrastructure  —  it 
has  long  used  virtualization 
technology,  for  example  — 
its  decision  to  widely  adopt 
cloud  computing  is  a  rela¬ 
tively  recent  one.  Singer  said. 


said.  “We  were  headed  to  an 
enterprise  cloud  all  along" 
without  using  the  term. 

Today,  the  CIA  also  uses 
mostly  Web-based  applica¬ 
tions  and  thin  clients,  reduc¬ 
ing  the  need  to  administer 
and  secure  individual  work¬ 
stations.  she  said. 

Singer  said  that  security  is 
bolstered  by  the  CIA  cloud’s 


managers  can  buy  online 
applications  and  basic  com¬ 
puting  services  from  Google 
Inc.,  Salesforce.com  Inc.  and 
other  vendors. 

Run  by  the  U.S.  General 
Services  Administration,  the 
new  Apps.gov  site  is  initially 
focusing  on  the  sale  of  online 
applications.  It  will  eventu¬ 
ally  add  IT  services  such  as 


and  loss  of  control  over  data, 
may  slow  momentum,  but 
Peterson  said  she  expects 
to  see  "broader  adoption 
and  higher  spending  after 
the  administration  makes 
progress  in  some  of  the  pilot 
programs  it  has  planned.”  ■ 
Robert  McMillan  of  the  IDG 
News  Service  contributed 
to  this  story. 


1«  COMPUTERWORLD  OCTOBER  19, 2009 


IBM  Again  the  Focus 
Of  U.S.  Antitrust  Probe 


The  DOJ  investigates  new 
complaints  that  IBM  muffles 
mainframe  competition. 

By  Patrick  Thibodeau 


of  Justice’s  decision 


m  trust  inquiry  into 
IBM’s  mainframe  business 
could  reignite  a  legal  battle 
that  started  40  years  ago. 

However  the  current  inves¬ 
tigation  plays  out,  it  will  be 
compared  to  an  antitrust  law¬ 
suit  the  DOJ  filed  against  IBM 
in  1969  —  starting  perhaps 
the  longest,  most  brutal  anti¬ 
trust  case  ever  fought  That 
battle  royale  finally  ended  in 
1982  when  the  case  was  dis¬ 
missed  after  a  six-year  trial 
In  the  latest  case,  the  DOJ 
has  issued  civil  investiga¬ 
tive  demands  (CID)  —  the 


equivalent  of  subpoenas  — 
as  part  of  a  probe  into  com¬ 
petitors’  claims  that  IBM  is 
thwarting  competition  in 
the  mainframe  market  Issu¬ 
ing  the  CIDs  “means  they’re 
really  serious,"  said  Robert 
Lande,  a  law  professor  at  the 
University  of  Baltimore.  “It’s 
not  something  they  would 
do  lightly." 

Hillard  Sterling,  an  anti¬ 
trust  attorney  at  Chicago- 
based  law  firm  Freeborn  & 
Peters  LLP,  called  the  DOJ 
probe  “part  of  a  new  govern¬ 
mental  aggressiveness  in  the 
antitrust  arena.  IBM  is  a  logi¬ 
cal  target  for  the  DOJ,  given 
IBM’s  clear  monopoly  power 


in  the  mainframe  markets. 

“The  DOJ  still  must  prove 
that  IBM  is  abusing  that 
power,  though  it  shouldn't 
be  hard  to  amass  supporting 
evidence,”  Sterling  added. 
“IBM  apparently  hasn’t  been 
shy  about  using  its  substan¬ 
tial  leverage  to  maintain  its 


A  DOJ  spokeswoman 


inquiry,  which  was  disclosed 
this  month  by  the  Computer 
&  Communications  Industry 
Association  (CCLA),  a  tech¬ 
nology  trade  group  that  filed 
the  complaint  against  IBM. 

“We  think  we  have  a  lot 


fil£« 

been  shy  about  us¬ 
ing  its  substantial 

Inturunn  4m  hi  i  tut  i  in 

leverage  to  nuumain 


of  smoking  guns  here  show¬ 
ing  really  punitive  behavior, 
threatening  behavior,  aimed 
at  stopping  companies  and 
business  models  that  had 
a  chance  to  interfere  with 
their  monopoly  position," 
said  CCIA  CEO  Ed  Black. 

Black  said  there  are  po¬ 
tential  competitors  that 
could  offer  services  and 
technologies  that  might  cut 
costs  for  users.  But  many 
won’t  sell  such  products  be¬ 
cause  they  fear  IBM  would 
retaliate,  he  noted. 

The  CCIA  alleges  that 
IBM  has  refused  to  issue 
licenses  for  its  mainframe 
operating  system  to  com¬ 
petitors  as  required  under 
previous  DOJ  rulings.  In 
some  cases,  IBM  has  yanked 
licenses  from  users  trying  to 
switch  from  an  IBM  main¬ 
frame  to  a  competitor's. 
Black  contended. 

In  a  statement,  IBM  said 
that  it  has  “invested  billions 
of  dollars"  in  intellectual 
property  and  added,  “We 
have  a  right  to  protect  our . . . 

IBM  pledged  to  cooperate 
with  the  DOJ. 

Jean  Bozman,  an  analyst 
at  IDC,  said  it’s  not  clear 
how  well  IBM’s  mainframe 
operating  system  would 
run  on  non-IBM  hardware 
platforms  today.  “The  whole 
idea  behind  the  mainframe 
is  all  the  pieces  fit  together 
as  an  integrated  system,  so 
even  if  you  can  take  the  OS 
and  run  it  somewhere  else, 
how  well  would  it  run?" 

According  to  IDC,  in  the 
category  of  high-end  serv¬ 
ers  —  systems  that  cost 
$500,000  or  more  —  IBM’s 
System  z  last  year  generated 
$5.1  billion  worldwide. 

It’s  that  kind  of  revenue 
that  makes  this  a  high-stakes 
matter  for  IBM  rivals.  ■ 

Grant  Grot*  of  the  IDG 
News  Service  contributed 
to  this  story. 


OCTOBER  19, ; 


Dossier 


Zoe  Baird 

As  head  of  the  Markle  Foundation, 

she  brings  IT  to  bear  on  two  of 
today’s  most  pressing  issues: 

health  care  and  national  security. 


nology  and  its  potential  to  address  pre¬ 
viously  intractable  public  problems. 

We  aim  for  sectoral  change  rather 
than  projects,  and  today  we  work  pri¬ 
marily  in  health  and  national  security. 
These  sectors  can  be  vastly  improved 
by  putting  the  best  information  in  the 
hands  of  decision-makers  when  they 
need  it.  We  collaborate  with  some  of 
the  nation’s  leaders  and  experts  in  the 
areas  of  IT,  health,  national  security, 
civil  liberties  and  business  to  develop 
strategies  for  the  use  of  IT  to  trans¬ 
form  these  sectors. 

Continued  on  page  18 


1«  COMPUTERWORLO  OCTOBER  19, 2009 


Three  Platforms. 

One  Provider. 

Complete  Privileged  Access  Control 


Introducing  the  new  BeyondTrust. 

A  security  strategy  is  only  effective  if  it  grows  with  your  company.  As  enterprises  deploy  more  Linux*, 
UNIX*,  and  Windows*  in  heterogeneous  IT  environments,  managing  sensitive  data  in  these  multi-platfbrm 
infrastructures  can  be  difficult,  complex,  and  costly. 

Meet  the  new  BeyondTrust,  a  leading  provider  of  Privileged  Access  Lifecycle  Management  solutions  for 
heterogeneous  environments.  Our  leading  products  protect  sensitive  and  confidential  data  through  an 
effective  combination  of  privilege  delegation,  strict  user  access  control,  privileged  password  management 
and  secure  audit  trails.  With  solutions  that  prevent  data  breaches  and  achieve  regulatory  compliance, 
hundreds  of  Forbes  2000  companies  rely  on  us  to  maximize  their  security  while  reducing  complexity 
and  administrative  costs. 

Try  it  free  for  30  days  at  www.beyondtrust.com/cw 

When  it  comes  to  managing  risk,  we  have  the  key. 


6,  beyondtrust 

J  Control  Access.  Control  Ride. 

1-800-234-9072 


■  THE  GRILL  I  ZOE  BAIRD 


We  need 
to  use  IT  in 


to  improve  the  quality 
of  care,  control  growth 
in  costs,  stimulate 
innovation  and 
protect  privacy. 


Continued  from  page  16 

Lot's  talk  about  tho  health  program  first 

What  b  its  facia?  Markle's  work  focus¬ 
es  on  the  idea  that  emerging  informa¬ 
tion  and  communications  technologies 
can  improve  people's  lives. 

In  the  health  arena,  Markle  has  been 
working  to  accelerate  the  use  of  infor¬ 
mation  technology  by  consumers  and 


the  health  system  that  supports  them 
to  improve  health  and  health  care. 

Health  has  lagged  behind  other  sec¬ 
tors  in  taking  advantage  of  the  Internet 
and  information  tools.  We  know  that 
there  are  great  benefits  to  modernizing 
the  way  health  information  is  collected, 
shared  and  analyzed.  We  can  avoid 
medical  errors,  use  the  best  treatment 
methods  more  widely,  eliminate  dupli¬ 
cative  costs,  and  much  more  —  if  we  use 
IT  in  health  as  we  do  in  other  sectors. 

Markle's  Connecting  for  Health  ini¬ 
tiative  is  a  public-private  collaborative 
established  in  2002  that  brings  together 
a  diverse  group  of  health,  policy  and 
technology  leaders.  Over  the  years,  well 
over  100  organizations  have  participat¬ 
ed  in  this  collaborative,  representing  a 
diversity  of  interests,  including  those  of 
consumer  groups,  clinicians,  hospitals, 


technology  experts  and  business. 

How  can  technology  hoip  eliminate  some 
of  the  problems  wtth  the  systems  in  use 
today?  It  is  a  well-known  fact  that  the 
U.S.  has  the  most  expensive  health 
care  system  in  the  world,  yet  we  rank 
37th  in  quality.  Health  care  consumes 
17%  of  our  nation’s  GDP.  And  it  is  a 
growing  share  of  GDP. 

We  need  to  use  IT  in  health  care  to 
improve  the  quality  of  care,  control 
growth  in  costs,  stimulate  innovation 
and  protect  privacy. 

Achieving  real  health  improvement 
and  reining  in  health  costs  will  not 
come  about  by  simply  digitizing  exist¬ 
ing  information  or  making  electronic 
the  things  that  now  occur  on  paper. 

We  need  to  get  information  about 
the  best  care  and  treatments  into  the 
hands  of  clinicians.  We  need  to  give 
patients  tools  and  information  to  make 
better  decisions  about  their  own  care. 
We  need  providers  to  be  able  to  use 
technology  to  redesign  care  and  work 
more  collaboratively  with  each  other 
and  with  patients. 

Health  IT  can  be  the  engine  for  all  of 
this,  but  only  if  we  set  the  right  objec¬ 
tives.  In  other  words,  we  have  to  set 
clear  health  improvement  goals  and  ex¬ 
pectations  for  more  cost-effective  care. 

What  are  same  of  tho  sbnilaritiosbotwosn 
MarUo-o  work  on  haalth  care  fT  and  Ms 
effort*  to  promote  tho  un  of  FT  to  hnprore 


national  security?  Both  engage  and 
collaborate  with  partners  and  experts 
across  sectors  and  disciplines  to  find 
solutions.  Both  focus  on  how  improv¬ 
ing  access  to  information  can  improve 
the  decision-making  process  and  the 
way  government  works.  Both  develop 
policies  to  guide  the  use  of  information 
and  technology  to  protect  American 
values,  personal  privacy  and  freedoms. 

Both  embrace  similar  approaches 
to  technology,  including  the  use  of 
decentralized  networks  that  empower 
individuals  contributing  to  and  using 
the  system,  [and  similar  approaches  to] 
authentication  and  audit  for  security. 
Both  work  toward  common  guidelines 
that  allow  organizations  to  exchange 
information  efficiently  and  commu¬ 
nicate  effectively.  And  both  consider 
the  provision  of  appropriate  incentives 
and  performance  mechanisms  that  can 
contribute  to  changing  the  way  critical 
stakeholders  think  and  work. 

What  are  some  of  th*  probisms  with 
sharing  Information  In  tsrms  of  national 
security?  [As  much  as]  the  nation  has 
invested  in  national  security  since 
9/11,  we  remain  vulnerable  to  terror¬ 
ist  attacks  and  other  threats,  such  as 
cyberattacks.  We  have  not  adequately 
improved  our  ability  to  protect  the 
nation  from  these  threats  with  good  in¬ 
formation  that  could  help  connect  the 
dots  between  what  is  known  in  federal 
agencies,  at  various  levels  of  govern¬ 
ment  and  in  the  private  sector. 

The  Markle  Task  Force  issued  a 
report  in  March  2009  that  concludes 
that  the  continued  lack  of  information¬ 
sharing  between  federal,  state  and 
local  agencies  leaves  the  U.S.  at  risk. 

At  the  same  time,  civil  liberties  are  at 
risk  because  we  don’t  have  the  govern¬ 
mentwide  policies  in  place  to  protect 
them  as  intelligence  collection  has 
expanded.  Our  report  urges  the  Obama 
administration  to  take  swift  action  to 
ensure  that  policymakers  have  the  best 
information  available  to  confront  a 
stark  set  of  national  security  challenges, 
including  terrorism,  instability  from  the 
global  economic  crisis,  energy  secu¬ 
rity,  climate  change,  cybersecurity  and 
weapons  of  mass  destruction. 

—  Interview  by  Sen  Forrest,  a  freelance 

photographer  and  writer  in  New  York 
(studio@sarqforrestphoto.com) 


18  C0UPUTERW0RL0  OCTOBER  19. : 


Teradata 


Winner:  AT&T  Inc. 


Winner:  RBC  Financial  Group 


Winner:  United  States  Postal  Service 


Winner:  ARC 


Winner:  Australian  Pharmaceutical  Industries 


HP  EliteBook  and  Intel®  vPro™ Technology: 
Rx  for  Healthcare  Mobility 


1  technology  writer  and  former  senior  editor  at  Network  World. 


Scams,  Spams 
Shams 

Online  social  networks 
put  a  new  face  on  brand¬ 
damaging  activities, 
ranging  from  reputation  ^ 

attacks  to  imposter  sites.  ^ 

A 


•  • 


SECURITY  SPOTLIGHT  ■ 


mark.  WWE  notified  MySpace,  which 
terminated  the  account  immediately. 

The  growth  of  social  networks  has 
brought  a  variety  of  threats  that  can 
potentially  damage  a  brand’s  good 
name.  Most  of  those  threats  aren't  new, 
however.  Social  networks  have  simply 
become  another  attack  vector,  whether 
for  spreading  malware,  launching  as¬ 
saults  on  an  individual's  or  company’s 
reputation,  or  creating  impostor  social 
networking  sites  that  divert  traffic  away 
from  the  brand's  legitimate  sites. 

The  Triple  H  incident  wasn't  the 
first  time  that  an  impostor  had  com¬ 
mandeered  the  name  of  a  trademarked 
WWE  personality.  “We've  had  a  lot  of 
impersonations,"  mostly  on  Facebook, 
MySpace  and  Twitter,  says  Dienes- 
Middlen.  In  fact,  it’s  enough  of  a  prob¬ 
lem  that  Twitter  recently  launched  an 
initiative  to  verify  some  accounts. 


££  Our  most  valuable 
■■asset  is  our 
Hitedectual  property. 

You  have  to  protect  Tit]  or 
you  lose  your  rights  to  it. 

LAUREN  DIENES-MIDDLEN. 

VICE  PRESIDENT  OF  INTELLECTUAL  PROPERTY. 
WORLD  WRESTLING  ENTERTAINMENT 

them  to  relinquish  control  of  the  ac¬ 
counts.  He  points  to  the  online  market 
Tweexchange  as  a  prime  example  of 
how  trading  in  social  network  names 
is  a  growing  business.  Unlike  domain 
names,  however,  social  networks  have 
no  central  authority  like  ICANN  or 
established  processes  for  reclaiming 
brand  names  from  cybersquatters. 

Some  impostors  are  simply  overzeal- 
ous  fans,  but  Dienes-Middlen  is  more 


■  SPOTLIGHT  SECURITY 


live.  It  also  found  8,600  sites  that  had 
made  pirated  copies  or  footage  of  the 
event  available  after  the  fact  “Counter¬ 
feiting  operations  are  highly  organized, 
are  very  global  and  are  picking  up 
steam  because  of  the  economy,”  says 
Liz  Miller,  vice  president  of  the  Chief 
Marketing  Officer  (CMO)  Council. 

THE  COST  OF  PIRACY 

Online  counterfeiting  also  damages 
brands  in  other  ways.  For  example, 
some  people  who  buy  pirated  copies  of 


today  can  make  more  money  from  the 
spyware  and  malware  than  they  get 
from  selling  the  pirated  software  itself. 


VISITORS 

UNDER 

ATTACK 


“If  those  outcomes  were  revealed, 
it  would  destroy  the  experience  for 
the  fans,"  Dienes-Middlen  says,  so  all 
WWE  employees  are  required  to  sign 
confidentiality  agreements. 


by  scammers  to  lure  a  brand’s  custom¬ 
ers  to  malware  or  phishing  sites  —  or 
to  e-commerce  sites  hawking  counter¬ 
feit  or  gray-market  products.  Accord¬ 
ing  to  a  survey  by  MarkMonitor,  which 
tracks  online  threats  for  its  clients, 
in  the  12-month  period  ending  in  the 
second  quarter  of  this  year,  phishing 


-senior  marketing  executives,  nearly 
20%  of  the  respondents  said  they  had 
been  affected  by  online  scams  and 
phishing  schemes  that  had  hijacked 


IT  needs  to  push  back  more  when 
marketing  plans  can  jeopardize  brand 
security.  It  must,  for  example,  fight  pres¬ 
sure  to  rush  Web  site  changes  through 
without  thorough  security  checks.  “I 
don't  think  IT  does  a  good  job  of  say¬ 
ing,  ‘Here's  all  of  the  IT  issues  with  the 
brand  upkeep,' "  Rentschler  says. 


SPOTLIGHT 


THE  COST  OF  PIRACY 

Online  .v  mntorlWti  tut  ;ilsod  linages 
brands  in  other  wavs.  For  evi  tuple, 
some  people  who  buy  pirated  copies  oi' 
Microsoft  Corpus  Windows  operating 
system  may  think  they  have  legitimate 


isn't  shutting  down  the  sites  that 
WML  rinds,  but  keeping:  up  u  ith  the 
neu  ones  that  continue  to  crop  up. 
While  businesses  can  assign  einpli >\  - 
ees  to  do  that,  she  recommends .tryittj: 
a  third-party  monitoring:  service  to 
act  a  handle  on  the  problem.  Diettes- 
Middlen  thought  she  had  thingts  under 
control  —  until  she  did  a  lest  run  with 
brand  protection  service  Mark  Monitor 
Inc.  Pin-  losses  WWK  had  uncovered 
on  its  ow  n  were  just  the  "tip  of  the  ice- 

chief  operating:  officer  to  ask  for  ad¬ 
ditional  funds  to  clamp  down  on  the 
illicit  activity.  "This  was  something:  we 
needed  to  attack.  Our  most  valuable  as¬ 
set  is  our  intellectual  property  "  I  tienes- 
Middtcn  says.  "You have  to  protect  lit] 
or  you  lose  your  rights  to  it.  " 


HERE'S  THE  SCENARIO:  At- 

ol  stealing  customer  records, 
the  attacker  installs  malware 
that  infects  the  computers  of  thousands 
of  visitors  to  the  site.  The  issue  goes  un¬ 
noticed  until  it's  exposed  publicly. 


but  most  fly  under  the  radar  because  the 
users  never  know  that  a  trusted  Web  site 
infected  them,  says  Brian  Dye,  senior  di¬ 
tec  Corp.  When  his  company  tracks  down 


quietly  notifies  the  Web  site  owner.  But 
word  can  get  out.  leaving  the  Web  site’s 
customers  feeling  betrayed,  and  seriously 
damaging  a  brand’s  reputation. 

Attackers,  often  organized  crime  rings, 
gain  entry  using  techniques  such  as 
cross-site  scripting,  SQL  injection  and 
remote  file-inclusion  attacks,  then  install 
malicious  code  on  the  Web  server  that 


lets  them  get  access  to  the  end  users  do¬ 
ing  business  with  the  site.  “They're  co¬ 
opting  machines  that  can  be  part  of  bot¬ 
nets  that  send  phishing  e-mail,  that  are 
landing  sites  for  traffic  diversion  and  that 
host  malware,"  says  Frederick  Feiman, 
chief  marketing  officer  at  MarkMonitor. 
But  because  the  business's  Web  site  isn't 
directly  affected,  the  administrators  of 
most  infected  Web  sites  don't  even  know 
it's  happening. 

That  possibility  is  one  of  Lynn  Gooden- 


dorfs  biggest  worries  as  global  head  of 
data  privacy  at  InterContinental  Hotels 
Group.  “I  worry  about  attacks  that  use 
a  combination  of  malware  and  botnets." 
she  says,  adding  that  she  has  watched 
this  type  of  activity  increase  steadily 
over  the  past  two  years.  “That's  very 
scary.”  says  Goodendorf. 

Mast  victims  haven't  associated  such  at¬ 
tacks  with  the  Web  sites  that  inadvertently 
infected  them.  But  that  may  be  changing. 

The  latest  versions  of  Microsoft's 
Internet  Explorer  browser  and  Google's 
search  engine  detect  sites  Infected  with 
malware,  issue  a  warning  and  block 
access  to  the  site.  "To  me,  this  is  seri¬ 
ous  online  brand  damage."  says  Garter 
analyst  John  Pescatore.  and  it  can  be 
disastrous  tor  small  and  midsize  busi¬ 
nesses  that  totally  depend  on  search  en¬ 
gine  traffic.  The  next  frontier,  says  Dye, 
may  be  attackers  who  use  these  types 
of  exploits  against  the  Web  sites  of  high- 
profile  brands  and  then  publicize  -  or 
threaten  to  publicize  -  what  happened. 

Preventing  attacks  like  SQL  injections 
requires  using  enterprise-class  security 

-detection  systems,  with  a  focus  on 
behavioral  analysis  to  spot  attacks.  Dye 
says.  But  Pescatore  sees  a  more  funda¬ 
mental  problem:  rushing  through  Web 
site  updates  and  ignoring  development 
best  practices  designed  promote  secu¬ 
rity.  Most  organizations  follow  formal 
processes  tor  major  upgrades,  but  not  tor 
the  constant  “tinkering"  that  takes  place. 
The  result:  Vulnerabilities  creep  into  the 
code.  “Security  groups  often  are  forced 
to  put  Web  application  firewalls  in  front  of 
Web  servers  to  shield  [these]  vulnerabili¬ 
ties  from  attack."  says  Pescatore. 

-  ROBERT  L.  MITCHELL 


C0MPUTERW0RID 


REACHING  OUT 

The  most  popular  uses  of  social 
networking - *■-* - 

Building  av 


Conducting  market  research  | 
Conducting  background 
checks  on  job  candidates 
Creating  an  alumni  network 
of  former  employees 


CHATTERBOXES 


social  networking  groups 
Blogs,  wikis  or  forums 


Content  referral  sites 


120  IT  professionals.  September  2009 


SPOTLIGHT 


'ft  Staying 


J 


1 


4  How  companies  are 
'  leveraging  social  networking 
sites  to  their  advantage. 


CLOSER  TO  CUSTOMERS 


Zappus.com  is  a 
power  player  when  il  comes 

as  Facebook  and  Twitter  to 
engage  with  existing  and 
potential  customers.  Zappos 
CKO  Tony  llsieh  has  nearly 
1.?  million  followers  on 
Twitter,  and  the  company 's 
official  Facebook  page  has 
almost  21.000  fans. 

Rather  than  using  these 
channels  to  pitch  products 
or  sell  its  brand.  Zappos 

personal  relationships  with 
customers  by  talking  to 
them  about  the  company  s 
culture  and  values.  "It  really 
is  about  who  we  are  as  a 
company  rather  than  what 

ness  development  at  Zappos. 
"We  let  our  customers  see 

are  somebody  they  can  relate 
with.  It  breaks  down  the  bar- 


employees  in  va 


or  as  sophisticated  in  their 
use  of  such  media  as  Zappos 
appears  to  be.  In  fact,  many 
are  only  beginning  to  dip 
their  tocsin  the  social  me¬ 
dia  waters,  and  the  return 


nter  buying  from  a 
friend."  Magness  says. 

Zappos  is  among  a  grow¬ 
ing  number  of  companies 
using  social  media  to  engage 

ers.  business  partners  and 

COMPUTEttWORlD  Til  l  ull 


unclear.  What  few  dispute, 
however,  is  the  tremendous 

such  as  Facebook.  Twitter. 
My  Space.  You  l  ube  and 
Linkedln  and  the  potential 
those  sites  hold  for  fostering 
and  sotne- 


that  in  Zappos'  case,  much  of 
its  growing  presence  on  so¬ 
cial  media  has  been  organic 
in  nature  rather  than  the 

term  corporate  plan.  Zappos' 
use  of  Twitter,  for  example, 
began  with  employees  tweet¬ 
ing  one  another  about  places 
to  eat  i  >r  the  hottest  parties 
to  go  to.  and  the  use  evolved 
from  there,  he  says. 

Today.  Zappos  has  a  dedi¬ 
cated  page  for  Twitter  on  its 
site  where  nearly  500  of  the 
company's  1.400  or  so  em¬ 
ployees  tweet  regularly  about 
what  they're  doing  at  work. 
The  site  also  aggregates  all 

Zappos  —  the  good,  the  bad 
and  the  ugly  —  and  presents 


them  in  a  single  location.  The 
company's  Facebook  page, 
meanwhile,  features  videos 
and  pictures  of  company 
picnics,  employees  at  w  ork, 
office  humor,  motivational 
messages  and  much  more. 

specifying  which  employees 
e.m  or  can't  post  on  such 
sites  or  w  hat  they  can  say  . 
Magness  say  s.  Instead,  post- 


taissez-faire  attitude  has 

The  informality  and  trans¬ 
parency  has  engendered 
what  Magness  believes  is 
stronger  customer  loyalty. 
"To  customers,  we  are  not 

They  know  our  til  t )  as  a 
person  as  opposed  to  some¬ 
one  hawking  goods."  he  say  s. 
And  the  interactivity  enabled 
by  social  media  has  also  al¬ 
lowed  the  company  to  spot 
and  respond  to  t 
sues  faster,  he  s. 


ALUMNI  CONNECTIONS 

Using  Facebook.  Twitter  and 
Linkedln  gives  organiza¬ 
tions  a  w  ay  to  meet  people- 
“where  they  are."  says  Alisa 
Robertson,  assistant  dean 
for  alumni  and  corporate 
relations  at  the  Wisconsin 


1  of  Busir 


at  the 


University  of  Wisconsin  - 
Madison.  The  school  is  us¬ 
ing  all  three  sites  to  establish 
a  robust  two-way  dialogue 
with  its  50.000  alumni. 

The  university’s  Facebook 
presence  is  geared  largely 
toward  a  younger  audience 
and  is  used  to  promote 

general  create  w  hat  Robert¬ 
son  describes  as  a  "warm 
and  nostalgic"  feeling  about 
the  school  among  alumni. 
Linkedln  meanwhile  has 
enabled  the  business  school 
to  locate  “lots  of  lost  alumni." 


■  SPOTLIOHT  SECURITY 


•  * 


Staying  on 
Message 

How  companies  are 
leveraging  social  networking 
sites  to  their  advantage. 

By  Jaikumar  Vijayan 


CUSTOMERS 


official  Facebook  page  has 
almost  21,000  fans. 

Rather  than  using  these 
channels  to  pitch  products 
or  sell  its  brand,  Zappos 


personal  relationships  with 
customers  by  talking  to 
them  about  the  company's 
culture  and  values.  “It  really 
is  about  who  we  are  as  a 


ness  development  at  Zappos. 

“We  let  our  customers  see 
our  culture  and  decide  if  we 
are  somebody  they  can  relate 
with.  It  breaks  down  the  bar¬ 
riers  of  consumer  vs.  compa¬ 
ny  and  becomes  more  about 

friend,”  Magness  says. 

Zappos  is  among  a  grow¬ 
ing  number  of  companies 
using  social  media  to  engage 
with  customers,  suppli¬ 
ers,  business  partners  and 


employees  in  various  ways. 
Most  are  not  as  far  along 
or  as  sophisticated  in  their 
use  of  such  media  as  Zappos 
appears  to  be.  In  fact,  many 
are  only  beginning  to  dip 
their  toes  in  the  social  me¬ 
dia  waters,  and  the  return 
on  these  investments  is  still 
unclear.  What  few  dispute, 
however,  is  the  tremendous 
reach  of  social  media  outlets 
such  as  Facebook,  Twitter, 
MySpace,  YouTube  and 
Linkedln  and  the  potential 
those  sites  hold  for  fostering 
more  interactive,  and  some¬ 
times  closer,  relationships 
between  companies,  their 
customers  and  other  con- 


office  humor,  motivational 
messages  and  much  more. 

There  are  no  policies 
specifying  which  employees 
can  or  can't  post  on  such 
sites  or  what  they  can  say, 
Magness  says.  Instead,  post¬ 
ers  are  left  to  use  common 
sense  in  deciding  what  they 
want  to  say  about  the  com¬ 
pany.  So  far,  at  least,  that 
laissez-faire  attitude  has 
worked  just  fine. 


that  in  Zappos’ case,  much  of 
its  growing  presence  on  so¬ 
cial  media  has  been  organic 
in  nature  rather  than  the 
result  of  any  strategic,  long¬ 
term  corporate  plan.  Zappos’ 
use  of  TWitter,  for  example, 
began  with  employees  tweet¬ 
ing  one  another  about  places 
to  eat  or  the  hottest  parties 
to  go  to,  and  the  use  evolved 
from  there,  he  says. 

Today.  Zappos  has  a  dedi¬ 
cated  page  for  Twitter  on  its 
site  where  neatly  500  of  the 
company’s  1,400  or  so  em¬ 
ployees  tweet  regularly  about 
what  they’re  doing  at  work. 
The  site  also  aggregates  all 
public  Tivitter  mentions  of 
Zappos  —  the  good,  the  bad 
and  the  ugly  —  and  presents 


“where  they  are,"  says  Alisa 
Robertson,  assistant  dean 
for  alumni  and  corporate 
relations  at  the  Wisconsin 
School  of  Business  at  the 
University  of  Wisconsin  - 
Madison.  The  school  is  us¬ 
ing  all  three  sites  to  establish 
a  robust  two-way  dialogue 
with  its  36,000  alumni. 

The  university’s  Facebook 
presence  is  geared  largely 
toward  a  younger  audience 
and  is  used  to  promote 
events,  relay  news  and  in 
general  create  what  Robert¬ 
son  describes  as  a  “warm 
and  nostalgic”  feeling  about 
the  school  among  alumni. 
Linkedln  meanwhile  has 
enabled  the  business  school 
to  locate  “lots  of  lost  alumni," 


Robertson  says.  The  school 
has  created  several  sub¬ 
groups  and  affinity  groups  on 
Linkedln  to  make  it  easier  for 
alumni  to  connect  with  one 
another.  “It’s  just  an  incred¬ 
ible  Rolodex  on  Linkedln.  It's 
a  great  way  to  find  people.” 
Robertson  says.  Unlike  the 
business  school’s  Facebook 
page,  its  Linkedln  presence  is 
decidedly  more  professional 
and  is  used  to  promote  re¬ 
sources  like  career  help  and 
job  opportunities. 


Paul  Gillin,  founder  of  Paul 
Gillin  Communications,  a 
social  media  consulting  firm. 
“When  you  use  the  tools, 
you  need  to  use  them  in  the 
spirit  of  the  culture  that 
has  evolved  around  them,” 
says  Gillin,  who  is  a  former 
Computerworld  editor  in 
chief.  Often,  that  involves  a 
higher  degree  of  openness 
and  transparency  than  a  lot 
of  companies  might  bargain 
for  or  be  comfortable  with, 
he  says.  It  also  often  means 


rial  networks  and  the  speed 
at  which  information  travels 
over  them  can  magnify  the 
risk  of  sensitive  or  protected 
data  ending  up  on  Facebook 
or  other  social  sites,  Gillin 
says.  And  there  is  always  the 
risk  that  someone  in  an  or¬ 
ganization  could  post  some¬ 
thing  damaging  or  libelous 
about  a  company,  its  custom¬ 
ers  or  its  rivals.  “There’s 
kind  of  a  party  atmosphere 
with  these  tools.  People  are 
having  a  blast  They  are 


lated  industries  using  TVitter 
could  be  required  to  archive 
their  Tweets  for  discovery 
purposes.  The  relative  lack  of 
identity-vetting  on  Linkedln 
could  pose  risks  for  com¬ 
panies  that  allow  Linkedln 
information  to  sit  alongside 
their  corporate  directories. 
“You  can’t  get  too  far  ahead 
of  the  security  and  identity 
teams  because  they  can  at 
least  tell  you  where  the  cau¬ 
tionary  areas  are,”  Gotta  says. 

“Education  is  critical,” 


of  Twitter,  on  the  other  hand,  view  social  media  purely  as  I  don’t  always  understand  the 

is  purely  about  _  implications  of  what  they ; 

extending  its  7 _ 1  t  cuikfcer  \  doing,"  Gillin  says. 

PR  reach.  “We 

do  whatever  we  I  need  to  be  handled  through 

can  on  Twitter  to  policies,  proce- 

promote  faculty 


research  finding," 

Robertson  says. 

“This  is  really 
where  we  try  to  1 
get  our  message 
out  to  a  broader 

Melissa  Anderson,  director 
of  public  relations  at  the  busi¬ 
ness  school,  says  the  decision 
to  leverage  such  social  media 
tools  was  driven  by  some 
very  simple  logic.  “We  are 
outmancuvered  and  out- 
spent”  by  competing  business 
schools,  she  says.  “We  don’t 
have  a  lot  of  budget  for  mar¬ 
keting,  and  we  don’t  have  a 
prime  metropolitan  location." 

What  social  media  has 
done  is  to  level  the  playing 
field  somewhat,  says  Ander- 


It's  been  a  way  for  us  to 
communicate  with  a  large 
number  of  people,  and  it  has 
helped  us  tell  our  story.” 

MESSAGE  MATCHED 
TO  THE  MEDIUM 

Enterprises  looking  to  use 
social  media  need  to  un¬ 
derstand  the  environment 
in  which  they  operate,  says 


a  channel  for  pushing  prod¬ 
ucts  and  corporate  messages, 
and  treating  it  instead  as  an 
opportunity  to  have  a  more 
interactive  dialogue  with  the 
target  audience,  Gillin  says. 

“The  culture  says  you 
don't  use  them  as  one-way 


whether  they  are  blogs,  so¬ 
cial  networking  sites,  wikis, 
or  video-  and  photo-sharing 
sites,  he  says.  “The  unifying 
fact  of  social  media  is  that 


To  be  sure,  the  reach  of  so- 


to  abandon  social 

Legal,  audit 
and  compliance 
teams,  which  can 


channels  such  as  e-mail,  says 
Gillin.  And  those  responsible 
for  maintaining  a  corporate 
presence  on  social  media  — 
typically  employees  in  mar¬ 
keting  and  customer  support 
—  need  to  be  sensitized  to 
the  risks  as  well,  he  says. 

And  while  much  of  the  ear¬ 
ly  adoption  of  social  media  in 
enterprises  has  been  driven 

tions,  human  resources  and 


would  be  wise  for  companies 
diving  into  social  media  to 
bring  IT.  information  secu¬ 
rity,  legal  and  compliance 
teams  into  the  picture  as 
well,  says  Mike  Gotta,  an 
analyst  at  Burton  Group. 

He  says  companies  in  regu- 


derwriting  director  at  New 

York-based  insurer  Travelers 

Global  Technology,  a  divi¬ 

sion  of  The  Travelers  Cos. 

In  a  recent  Travelers  Global 

Technology  survey  of  2,000 

adults,  about  one  in  eight  of 


posting  work-related  infor¬ 
mation  on  social  media  sites, 
and  two-thirds  said  their 
companies  have  no  policies 
for  addressing  such  issues. 

Companies  need  to  con¬ 
sider  the  potential  impact 
of  their  presence  on  a  social 
media  network,  and  who  that 
network  might  reach,  says 
Simonson.  They  must  make 
sure  they  have  extended 
whatever  corporate  privacy 


they  have  to  address  disclo¬ 
sure  and  reputational  risks 
on  social  media,  she  adds. 

Zappos’  Magness  says 
that  in  the  end.  it's  all  about 
the  corporate  culture  and 
how  much  you  trust  your 
employees  to  do  the  right 
thing.  “If  you  focus  on  main¬ 
taining  the  right  people  with 
the  right  attitude,  then  there 
shouldn't  be  much  to  fear” 
with  social  media,  he  says. 

“The  customer  has  access 
to  all  of  the  issues  and  the 
information,"  says  Magness. 
“They  are  not  listening  to 
you  telling  them  what  you 
think  your  brand  is.  They 
are  telling  you  what  your 


OCTOBER  19. ; 


SPOTLIGHT  SECURITY 


rM 


Baited  and 
Duped  on 

Facebook 


How  smart  companies  are  protecting 
employees  from  scammers  and  creating 
usage  policies  that  woric.  By  Mary  Brandei 


social  networking  existed, 
criminals  had  to  make  a  real 
effort  to  engage  victims, 
says  Adriel  Desautels,  chief 
technology  officer  at  Netra- 
gard  LLC,  a  security  service 
provider  that  performs  vul¬ 
nerability  assessments  and 
penetration  tests  for  clients. 

Often,  the  payoff  wasn’t 
worth  it.  But  with  social 
media,  it's  easy  to  hit  a  large 
number  of  targets  quickly 
and  effectively,  he  says.  “In¬ 
stead  of  having  to  fool  that 
one  particular  person,  they 
can  befriend  a  whole  bunch 
of  people,”  Desautels  says. 
“They  can  post  a  URL  on 
their  wall,  and  one  of  those 
people  is  likely  to  click  on  it." 

APPROACHING  STORM 

But  while  executives  seem 
'  the  potential 


an  attacker,  mixing  the  ano-  undertaken  related  empl 
nymity  of  the  Web,  easy  and  ee  training, 

direct  access  to  hundreds  of  A  Deloitte  LLP  survey 
millions  of  people,  and  an  echoes  those  results.  Onl 


Health  Care  employees  are  hesi-  unprecedented  amount  of 
tant  to  use  Facebook  at  all  for  faar  personal  information, 

of  compromising  patient  privacy.  I  Consider  that  before 


echoes  those  results.  Only 
15%  of 500  executives  polled 
said  that  the  risks  of  social 

Continued  on  page  30 


■  SPOTLIGHT  SECURITY 


•  • 


Baited  and 
Duped  on 
Facebook 


How  smart  companies  are  protecting 
employees  from  scammers  and  creating 
usage  policies  that  worii.  By  Mary  Brandel 


Health  Care  and  Affinity 
Health  System  in  Wisconsin 
to  use  Facebook  to  spread 


social  networking  existed, 
criminals  had  to  make  a  real 
effort  to  engage  victims, 
says  Adriel  Desautels,  chief 
technology  officer  at  Netra- 
gard  LLC,  a  security  service 
provider  that  performs  vul¬ 
nerability  assessments  and 
penetration  tests  for  clients. 

Often,  the  payoff  wasn’t 
worth  it.  But  with  social 
media,  it's  easy  to  hit  a  large 
number  of  targets  quickly 
and  effectively,  he  says.  “In¬ 
stead  of  having  to  fool  that 
one  particular  person,  they 
can  befriend  a  whole  bunch 
of  people,”  Desautels  says. 
“They  can  post  a  URL  on 
their  wall,  and  one  of  those 
people  is  likely  to  click  on  it." 

APPROACHINO  STORM 

But  while  executives  seem 
to  grasp  the  potential 
threats  of  social  networking, 
only  a  slim  majority  of  or¬ 
ganizations  seem  to  feel  the 
need  to  do  something  about 
it.  In  an  exclusive  September 
2009  Computerworld  survey, 
53%  of  the  120  IT  profes¬ 
sionals  polled  reported  that 


Best  Practices 


11MMI 

AWARDS  PROGRAM 


Sun 


fH  “Best  Practices  in 
"  Award  Recipients  were 
on  Tuesday,  October  13th 
in  Phoenix,  Arizona. 


u  to  our  “Best  Practices  in 
judges  for  SNW  Fall  2009: 


Congratulations 
to  Our  Honorees! 

SNW.  in  conjunction  with  Computerworld  and  the  Storage 
Networking  Industry  Association  (SNIA).  proudly  presents  the 
following  recipients  selected  as  SNW  "Best  Practices  in  Storage" 
Awards  Program  Honorees  for  Fall  2009.  This  program  honors 
IT  user  "best  practice"  case  studies  selected  from  a  field  of 
qualified  finalists. 

Green  Computing,  Energy  Efficiency  and  the  Data  Center 

Avnet.  Inc.,  Phoenix.  Arizona 

Finalists  •  FICO  CwratCT  M  ■,  M  n.  : 


Planning,  Designing  and  Building  a  Strategic 
Storage  Infrastructure 

GlaxoSmithKline  Biologicals,  Wave*3  Belgian 

Finalists:  •  Barclaycard  US.  Wilmington.  D-  i:. 

•  MetLile.  Troy.  New  York 
•Sanborn. Colorado Sprinc.  C 

*  TACO.  Cranston. 

Storage  Resiliency,  Data  Protection  and  Recovery 
FICO  Corporation.  Minneapolis.  Minnesota 
Finalists:  •ABDI" 

•Roc- 

.  >Stra:  :A  .  m  V,a  ■  ■ 

'“Storage  Virtualization  and  Cloud  Computing 

Medtronic,  Inc..  Minneapolis.  Minnesota 


Technology  Innovation  and  Promise 


SPOTLIGHT  SECURITY 


Continued  from  page  28 
media  are  being  addressed 
in  the  boardroom,  although 
58%  said  they  agree  that  it's 
important  to  do  so.  But  even 
those  that  do  have  policies 


pets  and  best  friends;  facts 
about  employers  or  com¬ 
ments  about  how  projects 
at  work  are  going;  lists  of 
hobbies;  updates  about 
vacations  or  life-changing 


pany  and  extracts  data  from 
their  walls,  posts  and  pro¬ 
files.  It  pulls  this  informa¬ 
tion  into  a  database  and  ana¬ 
lyzes  the  results  to  assess 
things  like  the  company's 


says,  is  that  there's  no  sure 
way  to  protect  your  compa¬ 
ny  against  social  engineer¬ 
ing  threats.  After  all,  the 
vulnerability  stems  from  the 
natural  human  tendency  to 


questions  or  convincingly 


geographic  region  in  which 


pretend  to  be  a  co-worker, 


they  work,  says  Terry  Gudai- 


tis,  cyberintelligence  director 
at  IT  security  firm  Cyveil- 
lance  Inc.  Even  then,  it's  pos- 


■  SPOTLIGHT  SECURITY 


Continued  from  page  28  i  pets  and  best  frienc 

media  are  being  addressed  about  employers  or 
in  the  boardroom,  although  ments  about  how  pi 


important  to  do  so.  But  even 
those  that  do  have  policies 
may  not  effectively  com¬ 
municate  them.  Of  2,008 
employees  that  Deloitte 
surveyed,  26%  said  their 
employers  had  guidelines  re¬ 
garding  what  they  could  say 
online,  24%  said  they  didn’t 
know  if  their  employers  had 
such  a  policy,  and  11%  said 
that  there  was  a  policy  but 
they  didn't  know  what  it  was. 

Not  that  a  policy  covers 
every  base,  says  Ira  Winkler, 

umnist  as  well  as  the  author 
of  Spies  Among  Us  (Wiley, 
2005)  and  president  of  Inter¬ 
net  Security  Advisors  Group, 
an  IT  security  firm  whose 
services  include  espionage 
simulations.  But  certainly  a 
hands-off  approach  is  no  lon¬ 
ger  an  option,  nor  is  block¬ 
ing  the  use  of  social  sites  at 
work.  “Too  many  companies 
want  to  say,  That's  your 
private  life,  so  I  won’t  bother 
you,’ "  he  says.  “But  people’s 
insecure  behavior  at  home 
proliferates  insecurity  in  the 
business." 

The  concern  isn’t  just  that 
employees  will  divulge  sen¬ 
sitive  data  outright  It’s  that 
they’ll  reveal  enough  infor¬ 
mation  about  themselves  or 
their  workplaces  —  either 
in  one  profile  or  distributed 
over  several  —  to  enable 
an  imposter  to  assess  their 
personalities  and  gain  their 
trust  figure  out  responses 
to  their  password-reset 
questions  or  convincingly 
pretend  to  be  a  co-worker, 
business  partner  or  custom¬ 

er  (see  “How  Hackers  Find 
Your  Weak  Spots"). 

“Little  pieces  of  informa¬ 
tion  put  together  the  big  pic¬ 
ture,"  Winkler  says.  Valu¬ 
able  tidbits  include  birth 
dates;  the  names  of  children, 


hobbies;  updates  about 
vacations  or  life-changing 
events;  and  links  to  friends. 

The  information  is  simple 
to  find,  either  by  using  re¬ 
connaissance  tools  such  as 
those  available  at  sites  like 
Maltego.com  and  PipLcom 
or  by  simply  doing  searches 
on  Facebook  or  Linkedln. 
When  Netragard  conducts 
penetration  tests,  it  finds  all 
the  people  on  Facebook  who 
work  at  a  particular  com- 


lyzes  the  results  to  assess 
things  like  the  company's 
culture,  whether  someone 
will  respond  quickly  to  a 
request  or  how  seriously 
security  personnel  take 
their  jobs.  From  a  simple 
comment  about  a  Java  regis¬ 
ter  misbehaving  again,  De- 
sautels  says,  Netragard  can 
create  an  attack  that  looks 
like  something  the  company 
won’t  notice  or  care  about. 

The  bad  news,  Desautels 


HOW  HACKERS  FIND 
YOUR  WEAK  SPOTS 


vulnerability  stems  from  the 
natural  human  tendency  to 
trust  other  people.  However, 
there  are  measures  you  can 
take  to  reduce  the  risk  that  a 
hacker  will  succeed.  A  good 
place  to  start  is  with  a  social 
media  policy. 

Such  policies  range  from 
strict  to  very  liberal.  For 
instance,  sports  broadcaster 
ESPN  Inc.  bans  employees 
from  setting  up  personal 
Web  sites  and  blogs  that 
contain  sports  content  and 
requires  workers  to  receive 
permission  before  engaging 
in  any  form  of  social  net¬ 
working  dealing  with  sports. 
Meanwhile,  Ministry  Health 
encourages  employees  to 
discuss  positive  work  events 
and  even  to  offer  construc¬ 
tive  criticism  of  their  em¬ 
ployer.  However,  it  also  has 
guidelines  that,  for  example, 
prohibit  employees  from 
sharing  patient  information 
online  under  any  circum¬ 
stances.  Weider  says. 

One  basic  but  controver¬ 
sial  policy  question  is  wheth¬ 
er  to  allow  workers  to  men¬ 
tion  their  employer  by  name 
in  their  online  profiles  or  in 
social  networking  forums. 
According  to  Desautels,  pro¬ 
hibiting  those  practices  is  the 
best  way  to  defend  against 
social  engineering  threats. 

If  you’re  really  concerned, 
you  could  consider  restrict¬ 
ing  employees  from  provid¬ 
ing  their  office  e-mail  ad¬ 
dresses  and  identifying  the 
geographic  region  in  which 
they  work,  says  Terry  Gudai- 
tis,  cyberintelligence  director 
at  IT  security  firm  Cyveil- 
lance  Inc.  Even  then,  it’s  pos¬ 
sible  that  a  friend’s  comment 
or  other  conversations  visible 
on  an  employee’s  profile 
could  reveal  employer  infor¬ 
mation.  In  such  a  situation. 


it’s  up  to  the  profile  owner 
to  monitor  and  delete  those 
references,  she  says. 

Similarly,  Winkler  sug¬ 
gests  restricting  employees 
from  mentioning  business 
developments  on  their  pro¬ 
files.  What  if,  for  example, 
a  researcher  discusses  his 
lack  of  progress  on  a  proj- 


revealing,  a  major  break¬ 
through?  Or  if  a  salesperson 
tweets  that  she’s  meeting 
friends  because  she  just  won 
a  big  account?  Combined 
with  other  information, 
such  as  names  recently  add¬ 
ed  to  a  salesperson’s  friend 
list,  such  tidbits  can  reveal 
quite  a  bit,  Winkler  says. 

“This  stuff  used  to  be 
under  lock  and  key  in  a  pri¬ 
vate  diary,”  Gudaitis  agrees. 
“The  amount  of  disclosure 
on  every  level  —  business 
dealings,  trade  secrets, 
classified  information  and 
personal  information  —  is 
enormously  high.”  Also 


security  policies  and  offer 
employees  ongoing  train¬ 
ing.  That  training  could 
touch  on  ways  to  tighten  the 
security  settings  on  sites 
like  Facebook.  According 
to  the  Web  site  NextAdvi- 
sor.com,  which  compares 
online  services,  Facebook 
users  should  fine-tune  who 
will  have  access  to  specific 
aspects  of  their  profiles  and 
posts  using  the  “My  Pri¬ 
vacy”  section  of  the  site. 


NOT  TOO  ‘FRIEND’-LY 

Companies  may  also  want 
to  advise  employees  to  not 
accept  every  friend  offer 
that  comes  along.  “In  a  lot 
of  cases,  people  say  yes  to 
anyone  who  pops  up,”  says 
Gudaitis.  "But  then  they’re 
vulnerable  to  whoever  those 
people  may  be.”  Better  to 
be  conservative,  she  says, 
and  approve  only  business 
acquaintances  or  old  college 
buddies  or  family  members. 

To  be  even  more  cau- 


Their  computer. 
Your  brain. 


GoToAssist*  Express'  lets  you  view  and  control 
your  customer's  computer  online,  so  you  can  use 
your  expertise  to  instantly  fix  the  problem.  You'l 
solve  technical  issues  faster  while  reducing  travel 


CITRIX 


DEMO^5 

DEMO  DRIVES  INNOVATION 


ft  Enterprise  Winner:  I  [^j  Consumer  Winner: 


Watch  their  Award-Winning  Product  Launches  at: 

www.demo.com/demopcwinners 


Liaise,  Inc.  automates  the  capture  and 
management  of  KeyPoints  (tasks,  issues, 
dates  and  priorities)  buried  inside  emails, 
IMs  and  other  communications.  As  you 
type.  Liaise  intelligently  and  automatically 
captures  KeyPoints  in  your  messages,  and 
provides  summaries,  calendar  integration 
and  reports. 


Emo  Labs 


EMO  Labs,  Inc.  has  changed  the 
way  you  experience  multimedia  content 
with  invisible,  zero-footprint  speaker 
systems.  Imagine  a  TV  with  great  stereo 
sound  coming  directly  from  the  display 
panel,  unifying  audio  and  video  for  a 
more  natural,  realistic  and  compelling 
presentation. 


Liaise 


•  • 


SECURITY  SPOTLIGHT  ■ 


Continued  from  page  31 
street  address  as  well.  “Your 
real  friends  and  associates 
will  likely  already  know  this 
information,  so  including 
it  on  your  profile  will  only 
increase  your  risk  of  be¬ 
ing  victimized  by  identity 
thieves,”  the  site  says. 

Of  course,  hackers  can 
collect  that  information  even 
if  you  don’t  provide  it  all  in 
one  place.  To  guard  against 
that,  Gudaitis  suggests  vary¬ 
ing  your  screen  name. 

Imagine,  she  says,  if  a 
hacker  were  able  to  track  a 
specific  systems  administra¬ 
tor’s  or  help  desk  techni¬ 
cian’s  every  move  online, 
gathering  information  from 
message  boards  and  forums, 
because  the  victim  used  the 


derstand  their  network  and 
system  architecture,”  she 
says.  “If  we  looked  up  every 
post  someone  had ...  we 
could  put  the  puzzle  pieces 


couklputthB  puzzle 
pieces  together. 

TERRY  GUDAITIS. 

CYBERINTELLIGENCE  DIRECTOR. 
CYVEILLANCE  INC 


gmeenng  security  gaps.  In 
addition  to  advising  employ¬ 
ees  to  choose  password- 
reset  challenge  questions 


information  to  employees’ 
cell  phones  instead  of  their 
e-mail  addresses. 

Hiring  practices  are  an¬ 
other  area  in  which  security 
can  be  tightened.  Winkler 
suggests  screening  the  so¬ 
cial  networking  habits  of  job 
candidates  not  just  for  ste¬ 
reotypical  areas  of  concern. 


are  in  social  media  and  how 
likely  they  are  to  do  things 
like  expose  personal  infor¬ 
mation  and  voice  extreme 
political  views. 

Perhaps  most  key,  says 
Desautels,  is  designing  your 
infrastructure  and  manag¬ 
ing  your  sensitive  data  with 


importance  of  using  encryp¬ 
tion,  recording  and  logging 
network  activity,  classifying 


sensitive  data  in  a  zone  that 
can’t  be  reached  through  the 
network.  With  a  properly  de¬ 
signed  infrastructure,  “you 
can  keep  a  successful  pen¬ 
etration  from  being  success¬ 
ful  in  stealing  your  data," 
he  says,  “just  because  they 
break  in,  they  don’t  have  to 
put  you  out  of  business.” 

In  the  end.  it's  really 
about  finding  a  balanced 
way  to  leverage  social  me¬ 
dia  while  minimizing  risk, 
Weider  says.  For  him,  social 
engineering  threats  are  cer¬ 
tainly  among  his  top  10  con¬ 
cerns,  but  they’re  nowhere 
near  No.  1.  “It’s  something  I 
take  seriously,”  he  says,  “but 
I  do  think  there's  a  balance 
between  reasonable  risk  and 
the  likelihood  of  these  vari¬ 
ous  things  taking  place.”  ■ 
Brand*!  is  a  Computerworld 
contributing  writer.  Contact 
her  at  marybrandel@ 


INFORMATION 
ASSURANCE _ 

4  ^ 

PROTECT  VALUABLE  INFORMATION. 

F'T 

IMPRESS  POTENTIAL  EMPLOYERS. 

■  /  ( 

Cyberterrorism  prevention.  Data  and  information  systems  protection.  Disaster  recovery 

Earn  an  undergraduate  or  graduate  degree  or  certificate  online  from  University  of 

Ik.,  J 

.  Designated  as  a  National  Center  of  Academic  „„„ 

Excellence  in  Information  Assurance  Education  Enroll  now.  Call  800-888-llMUC 

by  the  NSA  and  the  DHS  Or  visit  umUC.edU//xyr  M/enf 

' BMUMUC 

P  \ 

■  SPOTLIGHT  SECURITY  • 


*  • 


into  the  enterprise  —  with  or 
without  the  IT  department’s 
knowledge  or  control. 

In  a  survey  of  more  than 
2,000  U.S.  employees  and 
executives  by  Deloitte  LLP 
in  April,  some  23%  of  the 
executives  polled  said  their 
companies  use  social  net¬ 
working  as  an  internal  com¬ 
munications  tooL  The  report 
on  social  networking  and 
reputation  risk  in  the  work¬ 
place  also  found  that  one- 
third  of  respondents  were 
using  social  networking  tods 
to  manage  and  build  their 
brands,  and  22%  of  execu¬ 
tives  said  they  would  like  to 
use  social  networking  tools 
at  their  companies  but  hadn’t 
figured  out  how  to  do  so. 

Can  you  trust  the  public 
cloud  with  company  infor¬ 
mation?  Or  are  you  ready 
to  start  using  a  customized 


Social*  ' 
Security 

Savvy  employees  already  i 


Twitter  and  Facebook  to  do 


business.  But  can  you  tmst  the 
public  cloud?  By  Stacy  Collett 


J 


AIME  GESSWEIN 
says  it’s  his  job  to 
be  paranoid. 

So  when  doctors 
and  staff  at  Chil¬ 


dren's  Hospital  of  the  King’s 
Daughters  in  Norfolk,  Va., 
began  requesting  access  to 
Youlhbe  to  view  medical  vid¬ 
eos  and  Facebook  for  moni- 

Gesswein,  who’s  in  charge  of 
network  security,  was  more 
than  a  little  skeptical 


“I  can  look  at  all  the  dis¬ 
advantages,”  including  over¬ 
use  of  bandwidth,  security 
risks  and  patient  privacy 

if  [social  networks]  are  pro¬ 
viding  [hospital  employees] 
with  the  information  they 
need  to  give  better  care, 
you  have  to  figure  out  how 
to  balance  access  to  these 
sites.”  He  now  grants  access 
to  about  two-dozen  workers 
—  less  than  1%  of  more  than 


2,500  IT-using  employees  — 


What  concerns  him  i 
is  the  recent  discovery  that 
a  few  employees  —  without 
IT’s  involvement  —  have 
been  using  social  network- 

with  other  facilities,  doctors 
anH  administrators  to  share 
medical  information. 

“If  it  were  [solely]  up  to 
me,  I  would  say  no  way,” 
Gesswein  says,  noting  that 
medical  staffers  are  often 
more  influential  than  the  IT 
employees  in  a  hos¬ 
pital  setting.  “But 
it’s  the  wave  of 
the  future.  Those 
people  who  fight  it 

ing  battle.” 

It’s  a  common  di¬ 
lemma  facing  many 
forward-thinking 

cial  networking  and 
microblogging  are 
changing  the  way 
people  communi¬ 
cate,  and  they’re 
starting  to  bleed 


internal  social  network 
controlled  by  the  IT  depart¬ 
ment?  Users  discuss  the  pros 
and  cons  of  each  option. 

PUBLIC  SOCIAL 
NETWORKING 

Public  sites  such  as  Facebook, 
YouThbe,  Twitter,  MySpace 
and  others  have  infiltrated  all 
facets  of  employees’  lives.  It’s 
only  natural  that  people  are 
going  to  go  with  what  they 


municating  with  co-workers 
and  clients.  But  public  sites 
lack  the  security 


guards  against  the 
snooping  eyes  of 


“Social  network¬ 
ing  tools  are  great 
for  reaching  out 
to  customers,  but 


C0MPUTERW0RLD  OCTOBER  19,  2009 


their  boundaries,” 
says  Oliver  Young, 
an  analyst  at  For- 


rester  Research  Inc.  He 
recently  spoke  with  a  hos¬ 
pital  manager  whose  nurses 
were  "friending"  patients 
on  Facebook  and  providing 
medical  advice  outside  of 
the  hospital's  legal  purview. 
“It’s  a  huge  risk  for  them," 
says  Young,  and  the  hospital 
wanted  to  prevent  it  from 
happening  again.  Employee 
education  was  the  answer. 

“If  you’re  doing  anything 
other  than  customer  support 
or  marketing  on  a  public  so¬ 
cial  network,  then  it’s  risky  in 
terms  of  data  retention,"  says 
Jevon  MacDonald,  a  senior 
partner  at  Dachis  Group, 
which  develops  custom 
social  networks  for  busi¬ 
nesses.  “Consumer  [social 
networking]  services  aren’t 
safe  enough.  I’ve  heard  about 
companies  creating  private 
groups  on  Facebook.  but 
there’s  just  no  security  capa- 


INTERNAL  SOCIAL 
NETWORKING 

Dozens  of  boutique  vendors 
offer  customized  software  ser¬ 
vices  for  internal  social  net¬ 
works.  Microsoft  Corp.  and 
IBM  are  also  upgrading  their 
document  collaboration  tools 
to  add  social-networking- 
type  features.  Internal  social 
networking  tools  provide  the 
same  kind  of  interpersonal 
collaboration  as  the  popular 
public  sites,  but  they  also 
include  document  collabora¬ 
tion  and  even  interaction 
with  back-end  office  systems 
—  all  behind  the  firewall. 

“The  biggest  advantage  is 


M  Social  net¬ 
working  took 
are  great  for  reach¬ 
ing  out  to  custom¬ 
ers,  but  employees 

metr  oounaanes. 


at  Wainhouse  Research  in 
Duxbury,  Mass.  He  points  to 
big  multinational  companies 
that  use  them  to  identify 
employees  with  expertise  in 
certain  areas,  which  helps 
staffers  easily  find  the  go-to 
people  when  they  need  them. 

But  collaboration  on  a 
massive  scale  has  its  chal¬ 
lenges.  “It's  a  tricky  thing  to 
do.  You’re  not  just  installing 
software,  you’re  trying  to 
deal  with  the  social  struc¬ 
ture  of  the  company  and  the 
psychology  of  people,"  says 
Zachmann. 

What’s  more,  internal  so¬ 
cial  networks  can  fell  victim 
to  the  same  massive  informa¬ 
tion  overload  as  public  sites 
and  e-mail.  “They  don’t  in¬ 
herently  reduce  information,” 
Zachmann  adds.  Companies 
must  develop  filters  for  de- 

goes  to  each  employee. 

MIDDLE  OROUND 

Services  such  as  Yammer, 
Socialcast  and  Huddle  —  and 
sofrware-as-a-service-based 
offerings  like  Socialtext  — 
provide  a  middle  ground  be¬ 
tween  public  social  network¬ 
ing  sites  and  customized, 
behind-the-firewall  setups. 


vernations  is  restricted  to 
employees  with  valid  com¬ 
pany  e-mail  addresses. 

But  because  they  are  free 
and  easy  to  set  up,  these  net¬ 
works  can  pop  up  without 
IT's  knowledge,  and  gaining 
control  after  the  company's 
information  is  out  there  will 
cost  you.  At  Yammer.com. 
for  instance,  companies  can 
pay  to  administer  their  own 
networks. 

Also,  employees  who 
leave  a  company  will  still  be 
able  to  access  the  company’s 
network  unless  an  adminis¬ 
trator  removes  them.  “That 
mixture  of  present  and  past 
employees  can  be  a  danger¬ 
ous  mix,"  Young  says. 

Another  concern  —  espe¬ 
cially  for  companies  in  high¬ 
ly  regulated  industries  such 
as  financial  services  and 
pharmaceuticals  —  is  the 
risk  of  having  social  network¬ 
ing  conversations  summoned 
into  a  legal  proceeding.  With¬ 
out  control  over  archiving,  it 
would  be  difficult  to  produce 


BATTENING 
DOWN  THE 
HATCHES 


Employee  training  that 
spells  out  what  should 
and  shouldn't 
be  shared 


with  the  inward-facing  [so-  information.  Employee 
rial  networks],”  says  William  profiles  and  conversation 

social  networking  analyst  moned.  Access  to  these  con- 


documentation,  Young  warns. 

Right  now,  Yammer  is  a 
relatively  techie-oriented 
tool  used  mostly  by  technol- 

wtth  a  lot  of  engineers.  But  it 
could  also  appeal  to  small  or¬ 
ganizations  or  departments 
that  are  “hive-minded"  and 
already  like  to  share  infor¬ 
mation,  MacDonald  says. 

“There  is  no  question 
you  can  get  sorry?  genuine 
benefits  if  you  use  the  right 
platform  and  do  it  right.  But 
identifying  what  the  right 
platform  is  and  doing  it  right 
is  not  all  that  easy,"  Zach¬ 
mann  says. 

Start  with  a  project  or 
small  group  and  apply  one 
of  the  social  network  strate¬ 
gies.  If  it  adds  value,  begin 
thinking  about  the  entire 
business  as  an  ecosystem 
that  could  potentially  be 
redesigned  to  utilize  these 
tools,  says  MacDonald. 

On  the  flip  side,  “if  it’s  not 
productive  —  if  employees 
don’t  say  'I  really  want  to 
work  this  way1  after  the 
initial  frustration  people 
always  have  with  changing 
to  any  technology  —  then 
you  shouldn't  be  using  these 
tools,"  says  Young. 

Eventually,  social  network¬ 
ing  features  will  probably 


ment  collaboration  tools  that 
companies  are  already  using, 
and  they’ll  be  included  with 
software  upgrades,  industry 
watchers  say. 

But  enterprise  social  net¬ 
working  is  at  a  very  early 
stage,  and  whether  it  achieves 
widespread  adoption  or  is  just 


thing  that's  going  to  take  i 
the  world  tomorrow."  ■ 
Cottett  is  a  Computerworid 
contributing  writer.  Contact 
her  at  stcollett@aol.com. 


pital  manager  whose  nurses 
were  "friending"  patients 
on  Facehook  and  providing 
medical  advice  outside  of 
the  hospital's  legal  purview. 
"It's  a  huge  risk  for  them.” 
says  Young,  and  the  hospital 

happening  again.  Employee 
education  was  the  answer. 

other  than  customer  support 
or  marketing  on  a  public  so¬ 
cial  network,  then  it's  risky  in 

levon  MacDonald,  a  senior 
partner  at  Dachis  Group, 
which  develops  custom 
social  networks  for  busi¬ 
nesses.  "Consumer  [social 

safe  enough.  I've  heard  about 
companies  creating  private 
groups  on  Facebook.  but 
there's  just  no  security  capa¬ 
bility  strong  enough  for  an 
enterprise  to  use."  he  adds. 

INTERNAL  SOCIAL 
NETWORKING 

Dozens  of  boutique  vendors 
offer  customized  software  ser¬ 
vices  for  internal  social  net¬ 
works.  Microsoft  Corp.  and 
IBM  are  also  upgrading  their 
document  collaboration  tools 
to  add  social-networking- 
type  features.  Internal  social 
networking  tools  provide  .the 
same  kind  of  interpersonal 
collaboration  as  the  popular 
public  sites,  but  they  also 
include  document  collabora- 

with  back-end  office  systems 
—  all  behind  the  firewall. 

"The  biggest  advantage  is 
that  you  can  integrate  ERP 
and  CRM  systems  into  the 
stream  and  leverage  those 
processes  —  making  them 
actionable."  MacDonald  says. 

“There  are  real  successes 
with  the  inward-facing  [so¬ 
cial  networks).”  says  William 
Zachmann,  senior  enterprise 


M  Social  net¬ 
working  tools 
are  great  for  reach¬ 
ing  out  to  custom¬ 
ers,  but  employees 
sometimes  overstep 
their  boundaries. 


at  Wainhouse  Research  in 
Duxbury,  Mass.  He  points  to 
big  multinational  companies 

employees  with  expertise  in 
|  certain  areas,  w  hich  helps 
staffers  easily  find  the  go-to 
people  when  they  need  them. 

But  collaboration  on  a 
massive  scale  has  its  chal¬ 
lenges.  “It's  a  tricky  thing  to 
do.  You're  not  just  installing 
software,  you're  trying  to 
deal  with  the  social  struc- 
I  tureofthe  company  and  the 
1  psychology  of  people."  says 

rial  networks  can  fall  victim 
to  the  same  massive  informa¬ 
tion  overload  as  public  sites 

|  herently  reduce  information." 

J  Zachmann  adds.  Companies 
must  develop  filters  for  de¬ 
termining  what  information 
goes  to  each  employee. 

MIDDLE  GROUND 

Services  such  as  Yammer. 
Socialcast  and*Huddle  —  and 

offerings  like  Socialtextj— 
provide  a  middle  ground  be¬ 
tween  public  social  network¬ 
ing  sites  and  customized, 
j  behind-the-firewall  setups. 

I  ployec  can  start  a  free  net- 
|  work  feed  and  invite  other 
colleagues  to  discuss  ideas. 

I  post  news,  ask  questions, 
and  share  links  and  other 
information.  Employee 
profiles  and  conversation 
threads  are  also  easily  sum- 


employees  with  valid  com¬ 
pany  e-mail  addresses. 

But  because  they  are  free 

works  can  pop  up  without 
IT's  knowledge,  and  gainin) 
control  after  the  company's 
information  is  out  there  wil 
cost  you.  At  Yammer.com. 
for  instance,  companies  car 
pay  to  administer  their  own 

leave  a  company  will  still  b 
able  to  access  the  company 
network  unless  an  adminis 

mixture  of  present  and  pas 
employees  can  be  a  danger 
ous  mix."  Young  says. 

Another  concern  —  espe 
dally  for  companies  in  high 
lv  regulated  industries  such 
as  financial  services  and 
pharmaceuticals  —  is  the 
risk  of  having  social  networi 
ing  conversations  sum  mono 
into  a  legal  proceeding.  With 
out  control  over  archiving,  it 
would  be  difficult  to  product 


join  us  in 
the  Inner  Circle 


The  Computerworld  Inner  Circle  Research  Panel  was  established  as  a  way 
for  members  of  the  IT  community  to  share  information  and  gain  insight  into 
various  technology  topics,  including  new  initiatives  and  top  issues  faced  by 
IT  professionals  and  executives. 

Inner  Circle  panel  members  get  exclusive  access  to  results  of  the  surveys 
on  the  panel  site  at:  www.computerworldinnercircle.com,  and  are  eligible  for 
some  nice  cash  and  prize  giveaways  for  their  participation.  We  look  forward  to 
hearing  your  input! 


Join  for  Free! 

To  register  as  a  panel  member,  visit  www.computerworld.com/haic 


■  SPOTLIGHT  SECURITY 


An  early  adopter  uses  URL  filtering 
technology  to  guard  against  phishing 
scams  and  malicious  intrusions. 

By  Thomas  Hoffman 


“And  yes,  if  you  book  online,  then  guess 
what,  we  know  where  you  live  [and] 
what  time  you're  out,"  he  says. 

In  addition  to  keeping  its  employees 
safe,  BT  also  wanted  to  apply  technolo¬ 
gies  that  would  enable  it  to  enforce  its 
Internet  usage  policies.  After  holding 
a  series  of  technical  workshops  with  a 
number  of  security  software  vendors, 
Stanton  and  his  team  decided  to  use  a 
set  of  URL  filtering  and  security  tech¬ 
nologies  from  Blue  Coat  Systems  Inc. 
about  three  years  ago. 

The  systems  include  Blue  Coat's 
ProxySG  appliance,  which  BT  uses 
to  categorize  URLs  as  either  business 
productivity  sites,  such  as  Linkedln,  or 
sites  that  might  be  deemed  improper, 
such  as  the  Web  pages  of  hate  groups, 
says  Steve  Schick,  a  spokesman  for  the 
Sunnyvale,  Calif.-based  vendor.  De¬ 
pending  on  a  customer's  usage  policies, 
the  rackable  ProxySG  appliance  can  be 
configured  to  block  access  to  certain 


approach  toward  employees’  Internet 
use,  it’s  important  for  it  and  other 
companies  to  also  adopt  practical  us¬ 
age  policies,  says  IDC  analyst  Melanie 
Posey.  “You  have  to  know  on  some 
level  what  people  are  doing  on  the  In¬ 
ternet  and  what  impact  it's  having  on 
network  performance,"  she  says. 

Stanton  declined  to  quantify  BT  s 
investment  in  the  security  tools.  Schick 
says  pricing  for  the  ProxyAG  appliance 
starts  at  $2,000,  depending  on  the  num¬ 
ber  of  end  users  being  monitored.  ■ 
Hoffman  is  a  freelance  writer  in 
New  York.  You  can  contact  him  at 
tom.hoffman24@gmail.com. 


■  SPOTLIGHT  SECURITY 


PROFESSIONALS 


Tech  Careers:  IT 
Forensics  Expert 

An  inquisitive  nature  helps  these  security 
pros  investigate  data  breaches.  By  Julia  King 

I  AST  YEAR,  when  UCLA  Medi-  I  Certified  Examiner  certification, 
cal  Center  announced  the  firing 

of  13  workers  and  disciplined  SALARY  EXPECTATIONS 


-  IT  forensics 


rensics  work  that  enabled  the  hospital  to 
correctly  identify  the  culprits. 

And  after  part  of  a  large  cargo  ship 


forensics  experts  who  recovered  and  ar 


are.  Specific  job  titles  of  professionals 
who  perform  IT  forensics  work  include 
security  analyst  and  security  admin- 


as  IT  istrator.  The  national  average  annual 


matron  resulting  from  their  investiga-  2009  by  Foote  Partners  LLC. 

tion  revealed  that  the  log  files  had  been 

altered  after  the  ship  sank  and  a  month  TRAINING  REQUIREMENTS 

before  the  computers  were  turned  over  At  least  for  now.  there  is  no  definitive 
to  authorities  for  inspectioa  route  for  becoming  an  IT  forensics 

The  role  of  IT  forensics  expert  typi-  expert.  For  example,  Steve  Hunt,  a 


cally  falls  under  the  broader  job  category  security  industry  analyst  at  the  Com- 
of  IT  security.  These  security  pros  are  puter  Technology  Industry  Associa- 
in  high  demand  at  private  companies,  tion  (CompTIA),  believes  liberal  arts 
law  enforcement  agencies  and  law  firms,  students  who  majored  in  math  or  phi- 

which  hire  them  to  gather  evidence  and  losophy  make  the  best  IT  forensics  ex¬ 
serve  as  expert  witnesses  during  court  peris.  “These  are  people  who  will  take 
proceedings.  The  primary  job  of  an  IT  fo-  different  ideas  and  reassemble  them  in 

rensics  expert,  as  described  by  the  SANS  different  ways,”  Hunt  says. 

Institute,  is  to  analyze  “how  intruders  “There's  a  natural  talent  for  it,"  says 
breach  an  IT  infrastructure  in  order  to  Alan  Paller,  research  director  at  the 
identify  additional  systems  and  networks  SANS  Institute.  “The  ones  who  are 
that  have  been  compromised.”  Investigat-  best  have  an  inquisitive,  take-it-apari 
ing  attacks  requires  proficiency  in  foren-  personality.  They’ll  spend  hours  and 

sics  and  reverse-engineering,  as  well  as  hours  and  hours  digging  into  things." 
exploit  methodologies,  SANS  notes.  Not  surprisingly,  that  can  be  the  down- 

Several  certifies-  — _ ,  side  of  the  work.  “It  can 

tions  in  IT  forensics  are  Inere  S3  be  lonely,"  says  Gregory 

available  through  both  ■■  natural  Wilt  Evans.  CEO  of  Atlanta- 


vendor-neutral  organiza-  for  ITT  forenSICSl 
tions  like  SANS,  which  The  ones  who  1 

offers  the GIAC  Certified 
Forensics  Analyst  certifi 

cation,  and  security  soft  inqiHSItlVe,  taKe-lt* 

ware  vendors,  including  apart  personality. 

Guidance  Software  Inc,  ALAN  PALLER,  RESEARCH 
which  offers  the  EnCase  DIRECTOR.  SANS  INSTITUTE 


based  Ligatt  Security 
International  LLC.  But 
it  can  also  be  incredibly 
rewarding,  adds  Evans, 
whose  IT  security  firm 
recently  helped  track 
down  a  child  molester  by 
tracing  his  e-mails.  ■ 


MARKETPLACE 


smart 


■  SPOTUOHT  i  OPINION  •  •  0 

John  Viega 

Your  Own 

Worst  Enemy 


THERE’S  BEEN  a  lot  of  fuss  in  the  press  recently 
about  Web  2.0  security.  In  the  past  year,  Facebook 
and  Twitter  both  have  had  serious  problems  that 
have  made  some  waves  among  the  technically  savvy. 
People  are  starting  to  wonder  if  we,  as  an  industry,  just  don’t 
know  anything  about  securing  Web  2.0  applications.  There’s  a 
bit  of  truth  to  that,  but  mostly  the  software  development  indus¬ 
try  is  just  plain  bad  at  creating  secure  software  of  any  kind. 


Even  in  organizations 
where  all  developers  re¬ 
ceive  software  security 
training,  it's  rare  for  them 


are  thinking  about  features, 
first  and  foremost  When  it 
comes  to  security,  they  just 
go  through  the  motions. 
The  ability  to  log  in  with  a 
password  is  a  feature.  SSL 
support  is  a  feature.  It's 
unusual  for  anybody  to  pay 
attention  to  doing  things 
right  —  until  they  get  bitten 
publicly  a  few  times. 

Take  Twitter,  for  exam¬ 
ple.  The  site  has  had  a  lita¬ 
ny  of  security  glitches  over 
the  past  year,  including 

lems.  Until  it  got  burned,  it 
wasn’t  so  much  that  Twit¬ 
ter  thought  it  didn't  have 
to  worry  about  security.  It 
was  more  that  it  thought  its 


to  address  the  problem  as  a 
matter  of  course. 

After  a  couple  incidents 
proved  that  the  company 
didn’t  actually  have  it  to¬ 
gether,  the  Twitter  guys 
wanted  to  do  the  right 
thing  They  didn't  want  a 
bad  reputation  for  security. 
As  a  result,  they’ve  brought 
in  outside  consultants  to 
look  for  security  flaws  in 
their  code.  And  they've 
been  trying  hard  to  recruit 
a  full-time  person  to  take 
ownership  of  product 
security.  1  expect  that 
Twitter,  like  many  other 
companies,  is  finding  that 


■  The  troth  is, 
most  security 
breaches  require 
the  end  user  to 
take -or  fail  to 


of  action. 


it's  extremely  difficult  to 
find  high-caliber  software 
security  talent. 

But  if  you  take  a  closer 
look  at  Twitter,  a  lot  of  its 
problems  aren’t  necessar¬ 
ily  problems  in  the  soft¬ 
ware  platform  (although 
some  of  them  definitely 
are).  For  example,  it  isn’t 
uncommon  for  bad  guys 
to  hack  into  a  celebrity's 
Twitter  account  and  make 
fake  posts  or  hack  into  the 
accounts  of  Twitter  em¬ 
ployees.  Sure,  the  software 
platform  can  try  to  address 
those  threats,  but  a  big 
part  of  the  problem  is  the 
operational  security. 

Twitter's  employees 
need  to  make  sure  they 
are  selecting  strong  pass¬ 
words.  And  they  should  be 
doing  as  much  as  possible 
to  encourage  their  users  to 
do  the  same. 

To  some  degree,  Twit¬ 
ter  is  already  doing  these 
things.  But  even  if  the 
company  makes  a  big  effort 


to  encourage  responsible 
behavior  among  its  em¬ 
ployees  and  customers, 
people  are  still  going  to  get 
hacked.  Some  people  may 
use  the  same  password 
everywhere,  including  on 
hacked  sites.  Others  may 
try  hard  but  still  choose 
passwords  that  cant  with¬ 
stand  guessing  attacks.  And 
still  others  may  be  victim- 

tricked  into  typing  then- 
credentials  into  a  phony 
Web  form.  This  has  been 
a  big  concern  with  Twit¬ 
ter,  where  there  are  lots  of 
add-on  services  that  ask  for 
your  credentials,  including 
Bit-ly,  Mr.  Tweet  and  so  on. 

The  truth  is,  most  secu¬ 
rity  breaches  require  the 
end  user  to  take  —  or  fail  to 
take  —  some  kind  of  action. 

There  are  certainly  is¬ 
sues  with  AJAX  and  cloud¬ 
centric  application  models 
that  leave  Web  2.0  applica¬ 
tions  open  to  attack.  That’s 
to  be  expected  —  security 
always  lags  a  bit  behind 
innovation.  But  at  the  end 
of  the  day,  those  issues 
pale  in  comparison  to  the 
threat  users  pose  to  them¬ 
selves.  People  are  largely 
very  trusting,  and  bad 
guys  are  always  going  to 
be  able  to  take  advantage 
of  that  trust.  That  will  be 
true  even  if  the  day  comes 
when  our  software  has  no 
holes  in  it  and  our  soft¬ 
ware  vendors  are  perfect 
citizens.  ■ 

John  Woga  is  chief  technol¬ 
ogy  officer  of  the  software- 
as-a-service  business  unit 
at  McAfee  Inc.  and  author 
of  The  Myths  of  Security 
(O'ReUly  Media,  2009). 


I  OCTOBER  19,  2009 


Your  message  works  in  the 
Marketplace  section! 


♦  25+  full-text  and 
fielded  data  search 
options  (with 
Unicode  support  for 
hundreds  of 
international 
languages) 

♦  Built-in  file  parsers  / 
converters  highlight 
hits  in  popular  file 
types 

♦  Spider  supports  static 
and  dynamic  web 
data;  highlights  hits 
with  links,  formatting 


'Bottom  line:  dtSearch  manages  a  terabyte  of  text  in  a 
single  index  and  returns  results  in  less  than  a  second' 
—  InfoWorld 


To  advertise,  call  or  email 
Enku  Gubaie  at: 


508.766.5487 

egubaie@idgenterprise.com 


£ 


s 


How  worthwhile  is  it  to  give 
your  resume  an  extra  read- 
through  before  sending  it  out? 
K  could  make  all  the  difference 
between  getting  an  interview 
and  sitting  around  waiting  for 
a  call  that  will  never  come. 
Accountemps  surveyed  senior 
executives  at  large  compa¬ 
nies  and  found  that  four  in  10 
would  toss  out  a  resume  that 
had  even  one  typo  in  it. 

And  don't  reiy  on  sped  check. 
Some  examples  of  perfectly 
spelled  words  that  still  consti¬ 
tute  typos  and  that  appeared 
on  real  resumes  are  included 
in  the  Resumania  Hall  of  Fame 
(at  Resumania.com).  Some¬ 
times  the  problem  can  be  as 
small  as  a  missing  comma. 
Here  are  some  sentences  and 
phrases  that  pass  the  spell¬ 
check  test  “Fluent  in  both 
English  and  Spinach.'  “I  am  a 
rabid  typist."  “Quick  leaner." 
“Interests;  Music,  danc¬ 
ing  computers."  “Referees 


Keep  It  Clean 


■  Q&A 


Jon  Gordon 


The  author  of 


Training  Camp: 
What  the  Best 
Do  Better  Than 
Everyone  Else 


says  the  secret  to  success 
might  be  as  simple  as 
hard  work. 


I've  read  a  lot  of  prescrip¬ 
tions  for  success,  but 
these  days  you  don’t  hear 
much  about  hard  work. 

It’s  certainly  a  factor,  but 
is  it  really  the  preeminent 
qualification  for  success? 

I  really  believe  it  is.  Innova¬ 
tion  doesn't  happen  without 
hard  work.  Producing  a  great 
product  or  service  doesn't 
happen  without  hard  work. 
Real  leadership  happens  in 
the  trenches,  not  on  the  golf 
course.  Software  doesn't  get 
produced  without  thousands 
of  hours  of  hard  work.  Of 
course,  you  have  to  be  smart, 
you  have  to  have  the  right 
strategy,  you  have  to  have  a 
great  culture.  But  hard  work 
is  what  translates  vision  and 
ideas  into  results.  Study  the 
best  of  the  best  and  you'll 
find  that  they  really  do  work 
harder  than  everyone  else. 

A  lot  of  people  think  hard 
work  goes  unnoticed,  and 
that  it  just  makes  you  a 
drudge.  How  do  you  make 
sure  your  boss  sees  the  ex¬ 
tra  stuff  you  do?  I  have  found 
that  when  you  work  hard, 
people  notice.  Maybe  not  right 
away,  but  eventually  people 
notice,  and  rewards  happen 
without  you  pushing  for  them. 
They  naturally  come  your 
way.  The  key  is  to  do  your 
best  every  day  and  strive  for 
excellence  in  all  that  you  do. 


If  you  are  working  hard  and 
looking  for  the  reward,  this 

that  stops  others  from  re¬ 
warding  you.  Rewards  come 
to  those  who  are  humble  and 
hungry  -  humble  in  that  you 
are  striving  to  learn,  grow  and 
improve  every  day,  and  hun¬ 
gry  with  a  passion  to  be  your 
best  and  bring  out  the  best  in 
others.  When  you  make  excel¬ 
lence  your  focus,  success  and 
rewards  are  just  a  nice  by¬ 
product.  The  reward  is  in  the 
work,  not  in  the  outcome. 

What  about  the  advice  to 
work  smarter,  not  harder? 
You  definitely  need  to  work 
smarter,  too.  But  work  smart¬ 
er  and  harder.  They  go  to¬ 
gether.  It's  true  that  by  work¬ 
ing  smarter  and  being  more 
productive  with  your  time, 
you  may  not  have  to  work  as 
hard  to  enjoy  your  current 
level  of  success.  But  if  you 
want  to  be  more  successful 
or  rise  to  the  top  of  your  held, 
then  “smarter,  not  harder" 
won't  do.  Those  who  adopt 
the  motto  of  working  smarter, 
not  harder,  will  eventually  be 
left  in  the  dust  by  the  com¬ 
petition.  The  best  are  always 
striving  to  get  better.  They  are 
always  pushing  themselves 
beyond  their  comfort  zone. 
They  are  always  innovating 
and  improving. 

-  JAMIE  ECKIE 


COMPUTERWORLD  OCTOBER  1 


€ 


■  Q&A 

Jon  Gordon 

tThe  author  of 

Training  Camp: 
What  the  Best 
Do  Better  Than 
Everyone  Else 

says  the  secret  to  success 
might  be  as  simple  as 
hard  work. 


I’ve  read  a  lot  of  prescrip-  If  you  are  working  hard  and 
tions  for  success,  but  looking  for  the  reward,  this 

these  days  you  don’t  hear  usually  creates  a  neediness 
much  about  hard  work.  that  stops  others  from  re- 
It's  certainly  a  factor,  but  warding  you.  Rewards  come 
is  it  really  the  preeminent  to  those  who  are  humble  and 
qualification  for  success?  hungry  -  humble  in  that  you 
I  really  believe  it  is.  Innova-  are  striving  to  loam,  grow  and 
tion  doesn’t  happen  without  improve  every  day,  and  hun- 
hard  work.  Producing  a  great  gry  with  a  passion  to  be  your 
product  or  service  doesn't  best  and  bring  out  the  best  in 
happen  without  hard  work.  others.  When  you  make  excel- 
Real  leadership  happens  in  lence  your  focus,  success  and 
the  trenches,  not  on  the  golf  rewards  are  just  a  nice  by- 
course.  Software  doesn’t  get  product.  The  reward  is  in  the 
produced  without  thousands  work,  not  in  the  outcome, 
of  hours  of  hard  work.  Of 

course,  you  have  to  be  smart.  What  about  the  advice  to 
you  have  to  have  the  right  work  smarter,  not  harder? 
strategy,  you  have  to  have  a  You  definitely  need  to  work 
great  culture.  But  hard  work  smarter,  too.  But  work  smart- 
is  what  translates  vision  and  er  and  harder.  They  go  to- 
ideas  into  results.  Study  the  gather.  It's  true  that  by  work- 
best  of  the  best  and  you’ll  ing  smarter  and  being  more 
find  that  they  really  do  work  productive  with  your  time, 

harder  than  everyone  else.  you  may  not  have  to  work  as 
hard  to  enjoy  your  current 
A  lot  of  people  think  hard  level  of  success.  But  if  you 
work  goes  unnoticed,  and  want  to  be  more  successful 
that  it  just  makes  you  a  or  rise  to  the  top  of  your  held, 
drudge.  How  do  you  make  then  ‘smarter,  not  harder" 
sure  your  boss  sees  the  ex-  won't  do.  Those  who  adopt 
tra  stuff  you  do?  I  have  found  the  motto  of  working  smarter, 
that  when  you  work  hard,  not  harder,  will  eventually  be 
people  notice.  Maybe  not  right  left  in  the  dust  by  the  com¬ 
away,  but  eventually  people  petition.  The  best  are  always 
notice,  and  rewards  happen  striving  to  get  better.  They  are 
without  you  pushing  for  them,  always  pushing  themselves 
They  naturally  come  your  beyond  their  comfort  zone, 
way.  The  key  is  to  do  your  They  are  always  innovating 

best  every  day  and  strive  for  and  improving. 


-  JAMIE  ECKLE 


Staffing  Agencies 
IT  Consultants 
Law  Firms 


Are  you 

frequently  placing 
legal  or  immigration 
advertisements? 

Let  us  help  you 
put  together  a  cost  effective 
program  that  wi  make  this 
time-consuming 
task  a  little 

_ easier. _ 


„  'k. 

SharKlank 

Um,  Right 

At  this  medical-industry  IT 
company,  a  report  is  gener¬ 
ated  every  two  weeks  about 

found  that  will  let  her  moni¬ 
tor  her  house  while  she's  at 
work. ‘She  was  asking  if  our 
firewall  would  allow  her  to  do 

TRUE  TALES  OF  IT  LIFE  AS  TOLD  TO  SHARKY 

And  Be  Specific  ;  client  spent  the  weekend  try- 

Support  pilot  fish  «t  this  big  j  ing  to  get  hold  of  the  group,  all 

a  ceil  train  a  client  asking  j  the  weekend  off.  Sighs  fish, 

how  to  go  about  recycling  a  ;  “My  new  marching  orders 
communications  device.  “The  I  are  to  write  up  everything  not 
device  is  researched  and  !  done  for  the  clients." 

found  to  be  under  the  control  ! 

of  a  different  group  in  a  dif-  ;  Wal  Oet  Right  on  That 
ferent  country.'  says  hsh,  ;  This  pilot  fish  is  cafled  into 

who  hnds  the  phone  number  ;  his  boss's  office  -  and  the  big 
of  that  group.  That's  a  wrap  1  man  is  not  happy. ‘He  had 

as  far  as  hsh  is  concerned.  !  been  working  for  hours  on  a 
since  the  device  is  controlled  j  report  in  Lotus  Notes.’ says 
elsewhere.  But  the  next  week.  ;  fish.  Then  Notes  crashed.  He 
Im  learns  it*s  not  ttM  ond  of  told  mo  to  Qot  his  roport  back 

the  status  of  certain  benefits. 
The  report  shows  how  many 
vacation  hours  were  used  the 

has  a  summary  of  accumu¬ 
lated  vacation  hours  and  long¬ 
term  disability  hours,'  says 
a  pilot  fish  working  there. 
“Because  the  company  has  to 
keep  funds  on  hand  equal  to 

encourages  staff  to  keep 
built-up  vacation  hours  down. 
My  boss  stopped  by  my 
office.  'Your  vacation  hours 
are  kind  of  high.  You  need 
to  schedule  some  vacation.’ 
he  told  me.  And  then  he 
added. -Oh.  and  your  long- 

this,’  says  hsh.  “Intrigued.  1 
asked  her  what  this  program 
was.  She  started  telling  me 
about  Boogie  Earth,  and  how 
you  can  zoom  in  and  get  a 
satellite  view  of  your  house.  1  1 

tried  explaining  that  this  was 
lust  a  static  picture,  but  she 
was  sure  1  was  wrong.  So 

1  asked  her  to  check  it  that 
night  and  see  if  H  was  dark. 

She  sheepishly  turned  away 
and  said.  'Never  mind.' " 

■  Sharky  wouldn't  mind  1 

seeing  your  true  tale  of  JTlife.  1 

Send  it  to  me  at  Sharif  ! 

computerworid.com.  You  H  get  ! 
a  stylish  Shark  shirt  ifl  use  it  1 

the  story.  The  operations  i  1  asked  if  he'd  saved  his  work 

supervisor  calls  me  in  for  !  at  any  time  in  his  writing.  Of 

a  royal  chewing  out  for  not  ;  course  he  hadn't.  1  explained 
documenting  the  problem  and  ;  that  1  was  afraid  there  was 

high,  too." 

Bet  She  Checked,  Too 

This  pilot  hsh  is  walking  out 

©  NEED  TO  VWT  TOIM  SPLEEN? 

Toss  some  chum  into  the 
rolling  waters  of  Shark  Bail. 

to  date  on  what  was  done  to  !  saved.  His  reply:  make  it  so 
the  device.' It  seems  that  the  !  this  never  happens  again." 

co-worker,  and  she's  excited 
about  a  new  program  she  just 

|  fwkives  and  sign  □ptoaBhTaStow'  | 

THE  GREAT  office  politics  battle  is  over,  and  you 
stand  victorious.  This  was  no  minor  skirmish,  but 
an  important  philosophical  battle,  one  that  will 
determine  the  future  direction  of  the  technology, 
strategy  or  organization  of  your  group.  Your  foes  fought 
bravely,  but  some  combination  of  the  force  of  your  arguments, 

the  virtue  of  your  personal-  probably  would  have  ad-  retaliation  or  an  attempt 

ity  and  the  cunning  of  your  vocated:  After  completing  to  overturn  your  victory.  It 

maneuvers  overwhelmed  your  victory  over  your  foes,  can  also  serve  as  a  warn- 

them.  Now  that  the  van-  make  sure  that  you  elimi-  ing  to  others  about  the 

quished  lie  at  your  feet,  nate  them.  In  the  office  con-  perils  of  playing  politics 

what  do  you  do  with  them?  text,  this  would  probably  for  the  wrong  reasons. 

First,  let’s  assume  that  mean  having  someone  fired.  2.  Banish  your  enemy, 
you  have  fought  for  a  noble  Although  it  may  seem  cruel.  Less  extreme  than  trying 
cause  and  that  you  were  there  are  occasions  when  to  get  someone  fired  is  at- 

motivated  not  by  personal  this  might  be  appropriate.  tempting  to  transfer  her  to 

gain,  but  by  what  you  If  your  enemy  demon-  another  area.  If  your  op- 


motivated  not  by  personal  this  might  be  appropriat 
gain,  but  by  what  you  If  your  enemy  demor 

truly  believed  was  best  for  strated  bad  faith  in  the 
the  organization  and  its  battle  —  advocating  a 
members.  Next,  let's  also  point  of  view  with  an  e' 


tempting  to  transfer  her  to 
another  area.  If  your  op¬ 
ponent  fought  for  the  right 
reasons  and  genuinely 
disagreed  with  your  ap- 


members.  Next,  let's  also  point  of  view  with  an  eye  disagreed  with  your  ap- 
assume  that  what  you  do  toward  personal  gain  and  proach,  she  may  have  dif- 

now  will  be  motivated  not  nothing  more,  or  adopting  ficulty  adapting  to  the  new 

by  malice  or  a  need  for  a  position  merely  to  op-  environment  If  she  fought 

vengeance,  but  by  a  desire  pose  you  —  then  he  may  for  a  principle  but  lost,  she 


to  maximize  progress  for 
the  whole  group. 

In  general,  you  have 
four  choices  of  what  to  do 
with  your  former  oppo¬ 
nents.  Depending  on  your 
circumstances,  some  of 
them  may  not  be  possible 


because  of  legal  concerns,  for  fhs  righteous 


cultural  constraints,  cor¬ 
porate  policies  or  threats 
of  lawsuits. 


x  able  to  support  the  may  have  trouble  accepting 
strategy  and  should  the  new  reality.  She  may 
amoved  for  the  good  consider  it  a  moral  duty  to 

le  group.  This  will  continue  opposing  you. 
ect  you  from  potential  In  these  cases,  goodwill 
should  not  be  punished,  but 
rather  harnessed  elsewhere 
[he  question  in  the  organization.  Find 

Itw  righteous  your  enemy  a  good  home 

tor  is  whether  to  -somewhere  faraway 


victor  is  whether  to 
slaughter,  banish, 
spare  or  adopt  his 


you  believe  that  your  ene 
my  fought  nobly,  was  mo 
vated  by  goodwill  and  ca 


who  will  provide  future 
value  and  perspective.  You 
don’t  want  to  purge  all  of 
the  people  who  disagree 
with  you.  That  produces 
an  environment  in  which 
people  don’t  feel  safe  ex¬ 
pressing  their  opinions, 
and  it  becomes  easy  to  lose 
touch  with  reality. 

4.  Adopt  your  snamy. 
More  than  just  sparing 
your  enemy,  you  can  adopt 
her  as  your  right  hand. 

There  are  two  scenarios 
in  which  this  could  be  a 
good  idea.  One  is  when 
your  enemy,  beyond  just 
admitting  defeat,  accepts 
the  rightness  of  your  posi¬ 
tion.  As  a  convert,  she  may 
become  your  greatest  ad¬ 
vocate  and  a  good  friend. 

The  other  scenario  in 
which  it  may  be  useful  to 
adopt  your  enemy  is  when 
eliminating  or  banishing 


Remember  It’s  not  just 
winning  a  battle  of  office 
politics  that  will  make 
you  successful.  Success 
requires  knowing  what 
to  do  after  the  victory  to 
consolidate  your  gains  and 
ensure  future  support.  ■ 


tions  improve  productivity 
through  leadership,  and  the 
author  of  the  award-winning 
book  Leading  Geeks  (Jossey- 
Bass,  2003).  You  can  contact 


R.O.I.  IS 
IN  THE 
DETAILS. 


Qwest 


Sea  otters  have  up  to  a  million  strands  of  hair  per  square  inch. 


They  can’t  keep  up  with  the  continuous  process  of  cleansing. 

But  you  can.  With  proven  data  integration  software  and  services  from  SAS. 


www.sas.com/otters 


•  Data  quality  and  data  profiling  •  Migration  and  synchronization 

•  Connectivity  and  metadata  •  Master  data  management 

•  Data  cleansing  and  enrichment  •  Extraction,  transformation 

•  Data  federation  and  loading  (ETLi 


POWER 

2J  OLAO  TO  KNOV 


